PG eLMS Pro vDEC_2007_01 Multiple Blind SQL Injection Vulnerabilities

Title: PG eLMS Pro vDEC_2007_01 Multiple Blind SQL Injection Vulnerabilities
Advisory ID: ZSL-2011-5028
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 14.07.2011
Summary
eLMS Pro solution is an outstanding and yet simple Learning Management system. Our product is designed for any education formations: from small distance training companies up to big colleges and universities. The system allows to build courses, import SCORM content, deploy online learning, manage users, communicate with users, track training results, and more.
Description
Input passed via the 'lang_code' GET parameter to index.php and login.php in '/www/core/language.class.php', and 'login' POST parameter to login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Vendor
PilotGroup Ltd - http://www.elmspro.com
Affected Version
DEC_2007_01
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 1.3.27 (Win32)
PHP 5.2.4
MySQL 14.14 Distrib 5.1.43 (Win32-ia32)
Vendor Status
[08.07.2011] Vulnerability discovered.
[08.07.2011] Initial contact with the vendor.
[13.07.2011] No response from vendor.
[14.07.2011] Public security advisory released.
PoC
elms_sqli.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/103053
[2] http://www.exploit-db.com/exploits/17532/
[3] http://www.securityfocus.com/bid/48681
[4] http://securityreason.com/exploitalert/10620
[5] http://xforce.iss.net/xforce/xfdb/68568
[6] http://secunia.com/advisories/40163/
Changelog
[14.07.2011] - Initial release
[15.07.2011] - Added reference [3] and [4]
[19.07.2011] - Added reference [5] and [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk