SECURITY VULNERABILITY

Please report here problems and bugs
Post Reply
ebsi
FormaLms User
Posts: 28
Joined: Mon Jun 25, 2012 3:50 pm
Location: Mayo, Ireland
Contact:

SECURITY VULNERABILITY

Post by ebsi »

Hi all

Take a look at this from
http://www.itsecuritysolutions.org/2011 ... lities.txt

Have a look and comment if its been fixed?

Thomas

################################################################################
### DoceboLMS 4.0.4 multiple security vulnerabilities
################################################################################
~ Brendan Coles < bcoles at gmail dot com > ~ 2011-03-20

# Summary :

There is a reflected Cross Site Scripting (XSS) vulnerability in DoceboLMS
4.0.4 which may allow an attacker to take control of the software. There are
also numerous Full Path Disclosure vulnerabilities. Previous versions may
also be affected.

# Software :

# Software Link: DoceboLMS ( http://www.docebo.org/doceboCms/index.php )
# Vulnerable Versions: 4.0.4 (previous versions may also be affected)
# Vendor Notification:
# [2011-03-20] webmaster@docebo.org, support@docebo.org
# [2011-03-27] No reply. Advisory released.

# Vulnerability Reference :

# Cross-Site Scripting (XSS) : http://www.owasp.org/index.php/Cross-si ... ting_(XSS)
# Full Path Disclosure (FPD) : http://www.owasp.org/index.php/Full_Path_Disclosure


# Vulnerabilities :

# Reflected Cross-Site Scripting (XSS) # 4.0.4 :

The vulnerability is due to failure in the "clean_input_keys($str)" function
in "/lib/lib.filterinput.php" to properly sanitize user-supplied data in the
array index when presenting the "Disallowed key characters in global data"
message which is ironically triggered by the presence of the XSS payload.

The following proof of concept is available:

http://demo.docebo.org/index.php?any-paramater-here[<script>eval(alert(String.fromCharCode(88,83,83)))</script>]


# Information Disclosure # Full Path Disclosure # 4.0.4 :

The following proof of concept is available:

http://demo.docebo.org/index.php?specia ... g&new_lang[]
http://demo.docebo.org/index.php?op[]

http://demo.docebo.org/doceboLms/views/dummy/show.php
http://demo.docebo.org/templates/standa ... ut/lms.php
http://demo.docebo.org/templates/standa ... ut/adm.php
http://demo.docebo.org/templates/standa ... s_user.php
http://demo.docebo.org/templates/standa ... n_news.php
http://demo.docebo.org/templates/standa ... alogue.php
http://demo.docebo.org/templates/standa ... /popup.php
http://demo.docebo.org/templates/standa ... _login.php
http://demo.docebo.org/templates/standa ... t/home.php
http://demo.docebo.org/templates/standa ... /index.php
http://demo.docebo.org/doceboScs/class/ ... nf_scs.php
http://demo.docebo.org/doceboScs/module ... ctions.php
http://demo.docebo.org/doceboScs/module ... footer.php
http://demo.docebo.org/doceboScs/module ... /rooms.php
http://demo.docebo.org/doceboScs/module ... header.php
http://demo.docebo.org/doceboScs/module ... ctions.php
http://demo.docebo.org/doceboScs/module ... footer.php
http://demo.docebo.org/doceboScs/module ... /index.php
http://demo.docebo.org/cron/cron.report.php
http://demo.docebo.org/cron/cron.php
http://demo.docebo.org/lib/lib.domxml4.php
http://demo.docebo.org/widget/table/views/dynamic.php
http://demo.docebo.org/widget/table/views/static.php
http://demo.docebo.org/widget/kbcategor ... gorize.php
http://demo.docebo.org/widget/userselec ... lector.php
http://demo.docebo.org/widget/userselec ... lector.php
http://demo.docebo.org/widget/userselec ... lector.php
http://demo.docebo.org/widget/userselec ... lector.php
http://demo.docebo.org/widget/tablefilt ... filter.php
http://demo.docebo.org/widget/lms_tab/views/lms_tab.php
http://demo.docebo.org/widget/competenc ... lector.php
http://demo.docebo.org/doceboLms/admin/ ... roller.php
http://demo.docebo.org/doceboLms/admin/ ... t_form.php
http://demo.docebo.org/doceboLms/admin/ ... n/show.php
http://demo.docebo.org/doceboLms/admin/ ... itmask.php
http://demo.docebo.org/doceboLms/admin/ ... ssroom.php
http://demo.docebo.org/doceboLms/admin/ ... n_form.php
http://demo.docebo.org/doceboLms/admin/ ... lendar.php
http://demo.docebo.org/doceboLms/admin/ ... d_user.php
http://demo.docebo.org/doceboLms/admin/ ... gorize.php
http://demo.docebo.org/doceboLms/admin/ ... es/add.php
http://demo.docebo.org/doceboLms/admin/ ... s/show.php
http://demo.docebo.org/doceboLms/admin/ ... _table.php
http://demo.docebo.org/doceboLms/admin/ ... es/mod.php
http://demo.docebo.org/doceboLms/admin/ ... el/add.php
http://demo.docebo.org/doceboLms/admin/ ... l/show.php
http://demo.docebo.org/doceboLms/admin/ ... el/mod.php
http://demo.docebo.org/doceboLms/admin/ ... ds/add.php
http://demo.docebo.org/doceboLms/admin/ ... s/show.php
http://demo.docebo.org/doceboLms/admin/ ... itmask.php
http://demo.docebo.org/doceboLms/admin/ ... ds/mod.php
http://demo.docebo.org/doceboLms/admin/ ... ficate.php
http://demo.docebo.org/doceboLms/admin/ ... course.php
http://demo.docebo.org/doceboLms/admin/ ... e/show.php
http://demo.docebo.org/doceboLms/admin/ ... e/menu.php
http://demo.docebo.org/doceboLms/admin/ ... y/show.php
http://demo.docebo.org/doceboLms/admin/ ... itmask.php
http://demo.docebo.org/doceboLms/admin/ ... n/show.php
http://demo.docebo.org/doceboLms/admin/ ... on/mod.php
http://demo.docebo.org/doceboLms/admin/ ... howlog.php
http://demo.docebo.org/doceboLms/admin/ ... es/add.php
http://demo.docebo.org/doceboLms/admin/ ... s/show.php
http://demo.docebo.org/doceboLms/admin/ ... serule.php
http://demo.docebo.org/doceboLms/admin/ ... detail.php
http://demo.docebo.org/doceboLms/admin/ ... es/mod.php
http://demo.docebo.org/doceboLms/admin/ ... ourses.php
http://demo.docebo.org/doceboLms/admin/ ... s/rule.php
http://demo.docebo.org/doceboLms/admin/ ... entity.php
http://demo.docebo.org/doceboLms/admin/ ... sepath.php
http://demo.docebo.org/doceboLms/admin/ ... on_2_2.php
http://demo.docebo.org/doceboLms/admin/ ... tion_3.php
http://demo.docebo.org/doceboLms/admin/ ... tion_1.php
http://demo.docebo.org/doceboLms/admin/ ... itions.php
http://demo.docebo.org/doceboLms/admin/ ... tion_2.php
http://demo.docebo.org/doceboLms/admin/ ... step_1.php
http://demo.docebo.org/doceboLms/admin/ ... course.php
http://demo.docebo.org/doceboLms/admin/ ... on/add.php
http://demo.docebo.org/doceboLms/admin/ ... n/show.php
http://demo.docebo.org/doceboLms/admin/ ... dialog.php
http://demo.docebo.org/doceboLms/admin/ ... sepath.php
http://demo.docebo.org/doceboLms/admin/ ... nvalid.php
http://demo.docebo.org/doceboLms/admin/ ... sepath.php
http://demo.docebo.org/doceboLms/admin/ ... quests.php
http://demo.docebo.org/doceboLms/admin/ ... /level.php
http://demo.docebo.org/doceboLms/admin/ ... step_2.php
http://demo.docebo.org/doceboLms/admin/ ... on/add.php
http://demo.docebo.org/doceboLms/admin/ ... n/show.php
http://demo.docebo.org/doceboLms/admin/ ... n/edit.php
http://demo.docebo.org/doceboLms/admin/ ... d_user.php
http://demo.docebo.org/doceboLms/admin/ ... gorize.php
http://demo.docebo.org/doceboLms/admin/ ... on/add.php
http://demo.docebo.org/doceboLms/admin/ ... n/show.php
http://demo.docebo.org/doceboLms/admin/ ... _table.php
http://demo.docebo.org/doceboLms/admin/ ... nvalid.php
http://demo.docebo.org/doceboLms/admin/ ... on/mod.php
http://demo.docebo.org/doceboLms/admin/ ... itmask.php
http://demo.docebo.org/doceboLms/admin/ ... step_2.php
http://demo.docebo.org/doceboLms/admin/ ... step_1.php
http://demo.docebo.org/doceboLms/admin/ ... dition.php
http://demo.docebo.org/doceboLms/admin/ ... esence.php
http://demo.docebo.org/doceboLms/admin/ ... step_2.php
http://demo.docebo.org/doceboLms/admin/ ... step_1.php
http://demo.docebo.org/doceboLms/admin/ ... d_user.php
http://demo.docebo.org/doceboLms/admin/ ... b/test.php
http://demo.docebo.org/doceboLms/admin/ ... gorize.php
http://demo.docebo.org/doceboLms/admin/views/kb/add.php
http://demo.docebo.org/doceboLms/admin/ ... b/show.php
http://demo.docebo.org/doceboLms/admin/ ... b/edit.php
http://demo.docebo.org/doceboLms/admin/ ... folder.php
http://demo.docebo.org/doceboLms/class. ... lendar.php
http://demo.docebo.org/doceboLms/models ... nceLms.php
http://demo.docebo.org/doceboLms/lib/lib.pubrepo.php
http://demo.docebo.org/doceboLms/contro ... roller.php
http://demo.docebo.org/doceboLms/views/ ... ygames.php
http://demo.docebo.org/doceboLms/views/games/_tabs.php
http://demo.docebo.org/doceboLms/views/ ... ndings.php
http://demo.docebo.org/doceboLms/views/ ... events.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/ ... erence.php
http://demo.docebo.org/doceboLms/views/ ... _block.php
http://demo.docebo.org/doceboLms/views/ ... sepath.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/cart/show.php
http://demo.docebo.org/doceboLms/views/cart/wire.php
http://demo.docebo.org/doceboLms/views/ ... w_user.php
http://demo.docebo.org/doceboLms/views/ ... s/show.php
http://demo.docebo.org/doceboLms/views/ ... object.php
http://demo.docebo.org/doceboLms/views/ ... object.php
http://demo.docebo.org/doceboLms/views/ ... _chart.php
http://demo.docebo.org/doceboLms/views/ ... _chart.php
http://demo.docebo.org/doceboLms/views/ ... _chart.php
http://demo.docebo.org/doceboLms/views/ ... t_link.php
http://demo.docebo.org/doceboLms/views/ ... _chart.php
http://demo.docebo.org/doceboLms/views/ ... _chart.php
http://demo.docebo.org/doceboLms/views/ ... selist.php
http://demo.docebo.org/doceboLms/views/ ... ab_end.php
http://demo.docebo.org/doceboLms/views/ ... _start.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/ ... e/show.php
http://demo.docebo.org/doceboLms/views/ ... esence.php
http://demo.docebo.org/doceboLms/views/ ... _empty.php
http://demo.docebo.org/doceboLms/views/ ... selist.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/ ... cation.php
http://demo.docebo.org/doceboLms/views/ ... cation.php
http://demo.docebo.org/doceboLms/views/ ... bsdash.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/ ... selist.php
http://demo.docebo.org/doceboLms/views/ ... _block.php
http://demo.docebo.org/doceboLms/views/ ... labels.php
http://demo.docebo.org/doceboLms/views/ ... fields.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/ ... selist.php
http://demo.docebo.org/doceboLms/views/ ... _block.php
http://demo.docebo.org/doceboLms/views/ ... labels.php
http://demo.docebo.org/doceboLms/views/ ... n_list.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/ ... selist.php
http://demo.docebo.org/doceboLms/views/ ... ab_end.php
http://demo.docebo.org/doceboLms/views/ ... _start.php
http://demo.docebo.org/doceboLms/views/ ... /_tabs.php
http://demo.docebo.org/doceboLms/views/kb/show.php
http://demo.docebo.org/doceboLms/module ... _admin.php
http://demo.docebo.org/doceboLms/module ... e_body.php
http://demo.docebo.org/doceboLms/module ... e_head.php
http://demo.docebo.org/doceboLms/module ... report.php
http://demo.docebo.org/doceboLms/module ... server.php
http://demo.docebo.org/doceboLms/module ... erence.php
http://demo.docebo.org/addons/htmlpurif ... nition.php
http://demo.docebo.org/addons/htmlpurif ... igForm.php
http://demo.docebo.org/addons/htmlpurif ... nition.php
http://demo.docebo.org/addons/htmlpurif ... ouTube.php
http://demo.docebo.org/addons/htmlpurif ... Blocks.php
http://demo.docebo.org/addons/htmlpurif ... eption.php
http://demo.docebo.org/addons/htmlpurif ... ARSax3.php
http://demo.docebo.org/addons/htmlpurif ... r/PH5P.php
http://demo.docebo.org/addons/htmlpurif ... x-test.php
http://demo.docebo.org/addons/nusoap/class.soap_val.php
http://demo.docebo.org/addons/nusoap/class.wsdl.php
http://demo.docebo.org/addons/nusoap/nusoapmime.php
http://demo.docebo.org/addons/nusoap/cl ... _fault.php
http://demo.docebo.org/addons/nusoap/cl ... client.php
http://demo.docebo.org/addons/nusoap/cl ... t_http.php
http://demo.docebo.org/addons/nusoap/cl ... schema.php
http://demo.docebo.org/addons/nusoap/cl ... parser.php
http://demo.docebo.org/addons/nusoap/cl ... server.php
http://demo.docebo.org/addons/social/oa ... witter.php
http://demo.docebo.org/doceboCore/views ... ourses.php
http://demo.docebo.org/doceboCore/views ... /users.php
http://demo.docebo.org/doceboCore/views ... r/show.php
http://demo.docebo.org/doceboCore/views ... ations.php
http://demo.docebo.org/doceboCore/views ... s/show.php
http://demo.docebo.org/doceboCore/views ... _admin.php
http://demo.docebo.org/doceboCore/views ... s/menu.php
http://demo.docebo.org/doceboCore/views ... manage.php
http://demo.docebo.org/doceboCore/views ... _step2.php
http://demo.docebo.org/doceboCore/views ... t/show.php
http://demo.docebo.org/doceboCore/views ... nvalid.php
http://demo.docebo.org/doceboCore/views ... _users.php
http://demo.docebo.org/doceboCore/views ... _step1.php
http://demo.docebo.org/doceboCore/views ... t_form.php
http://demo.docebo.org/doceboCore/views ... t_mask.php
http://demo.docebo.org/doceboCore/views/lang/show.php
http://demo.docebo.org/doceboCore/views ... temask.php
http://demo.docebo.org/doceboCore/views/lang/list.php
http://demo.docebo.org/doceboCore/views ... g_form.php
http://demo.docebo.org/doceboCore/views ... ourses.php
http://demo.docebo.org/doceboCore/views ... /users.php
http://demo.docebo.org/doceboCore/views ... r/show.php
http://demo.docebo.org/doceboCore/views ... ations.php
http://demo.docebo.org/doceboCore/views ... s/show.php
http://demo.docebo.org/doceboCore/views ... _admin.php
http://demo.docebo.org/doceboCore/views ... s/menu.php
http://demo.docebo.org/doceboCore/views ... manage.php
http://demo.docebo.org/doceboCore/views ... lector.php
http://demo.docebo.org/doceboCore/views ... s_tree.php
http://demo.docebo.org/doceboCore/views ... erties.php
http://demo.docebo.org/doceboCore/views ... s/show.php
http://demo.docebo.org/doceboCore/views ... alisys.php
http://demo.docebo.org/doceboCore/views ... groups.php
http://demo.docebo.org/doceboCore/views ... nvalid.php
http://demo.docebo.org/doceboCore/views ... itmask.php
http://demo.docebo.org/doceboCore/views ... _users.php
http://demo.docebo.org/doceboCore/views ... alisys.php
http://demo.docebo.org/doceboCore/views ... tences.php
http://demo.docebo.org/doceboCore/views ... ourses.php
http://demo.docebo.org/doceboCore/views ... lector.php
http://demo.docebo.org/doceboCore/views ... itmask.php
http://demo.docebo.org/doceboCore/views ... y/show.php
http://demo.docebo.org/doceboCore/views ... itmask.php
http://demo.docebo.org/doceboCore/views ... dialog.php
http://demo.docebo.org/doceboCore/views ... course.php
http://demo.docebo.org/doceboCore/views ... s/show.php
http://demo.docebo.org/doceboCore/views ... rs_mod.php
http://demo.docebo.org/doceboCore/views ... course.php
http://demo.docebo.org/doceboCore/views ... _score.php
http://demo.docebo.org/doceboCore/views ... nvalid.php
http://demo.docebo.org/doceboCore/views ... _users.php
http://demo.docebo.org/doceboCore/views ... itmask.php
http://demo.docebo.org/doceboCore/views ... assign.php
http://demo.docebo.org/doceboCore/views ... _users.php
http://demo.docebo.org/doceboCore/views ... _score.php
http://demo.docebo.org/doceboCore/views ... itmask.php
http://demo.docebo.org/doceboCore/views ... dialog.php
http://demo.docebo.org/doceboCore/views ... d/show.php
http://demo.docebo.org/doceboCore/views ... dialog.php
http://demo.docebo.org/doceboCore/views ... dialog.php
http://demo.docebo.org/doceboCore/views ... t/show.php
http://demo.docebo.org/doceboCore/views ... ngepwd.php
http://demo.docebo.org/doceboCore/views ... ltimod.php
http://demo.docebo.org/doceboCore/views ... itmask.php
http://demo.docebo.org/doceboCore/views ... eleted.php
http://demo.docebo.org/doceboCore/views ... rofile.php
http://demo.docebo.org/doceboCore/views ... aiting.php
http://demo.docebo.org/doceboCore/views ... etails.php
http://demo.docebo.org/doceboCore/views ... folder.php
http://demo.docebo.org/doceboCore/views ... t/show.php
http://demo.docebo.org/doceboCore/views ... t/edit.php
http://demo.docebo.org/doceboCore/views ... _group.php
http://demo.docebo.org/doceboCore/views ... g/show.php
http://demo.docebo.org/doceboCore/addon ... x_widg.php
http://demo.docebo.org/doceboCore/addon ... ex_fck.php
http://demo.docebo.org/doceboCore/addon ... _xinha.php
http://demo.docebo.org/doceboCore/addon ... /index.php
http://demo.docebo.org/doceboCore/modul ... module.php

User avatar
alberto
FormaLms Guru
Posts: 951
Joined: Fri Mar 02, 2012 9:18 am
Contact:

Re: SECURITY VULNERABILITY

Post by alberto »

Hi Thomas, this vulerabilities should have been fixed in version 405 toghether with other issues.
This is the official changelog:

Security fix:
Fixed sql injection with iotask connectors; thanks to mr_me (net-ninja.net) for reporting this.
Fixed script injection vulnerability in tags module by Bicocca
Fixed Cross-Site Scripting vulnerability reported by Brendan Coles
Added whitelist parameter for file uploads; this can be set in Admin > Main > Settings > Advanced
--------------------------------------------------
Become a CONTRIBUTOR

Support the project for FREE!
www.Elearnit.net

ebsi
FormaLms User
Posts: 28
Joined: Mon Jun 25, 2012 3:50 pm
Location: Mayo, Ireland
Contact:

Re: SECURITY VULNERABILITY

Post by ebsi »

Thats great thanks Alberto

Thomas

Post Reply