← Advisories

PG eLMS Pro vDEC_2007_01 Multiple Blind SQL Injection Vulnerabilities

Medium
Advisory ID
ZSL-2011-5028
Release Date
14 July 2011
Vendor
PilotGroup Ltd - http://www.elmspro.com
Affected Version
DEC_2007_01
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 1.3.27 (Win32), PHP 5.2.4, MySQL 14.14 Distrib 5.1.43 (Win32-ia32)
Summary

eLMS Pro solution is an outstanding and yet simple Learning Management system. Our product is designed for any education formations: from small distance training companies up to big colleges and universities. The system allows to build courses, import SCORM content, deploy online learning, manage users, communicate with users, track training results, and more.

Description

Input passed via the 'lang_code' GET parameter to index.php and login.php in '/www/core/language.class.php', and 'login' POST parameter to login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept
elms_sqli.txtTXT
Disclosure Timeline
08.07.2011Vulnerability discovered.
08.07.2011Initial contact with the vendor.
13.07.2011No response from vendor.
14.07.2011Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.org/files/103053
[2]http://www.exploit-db.com/exploits/17532/
[3]http://www.securityfocus.com/bid/48681
[4]http://securityreason.com/exploitalert/10620
[5]http://xforce.iss.net/xforce/xfdb/68568
[6]http://secunia.com/advisories/40163/
Changelog
14.07.2011Initial release
15.07.2011Added reference [3] and [4]
19.07.2011Added reference [5] and [6]