'[Full-disclosure] eFront Enterprise v3.6.10 - Multiple Remote'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] eFront Enterprise v3.6.10 - Multiple Remote
From:       "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date:       2011-10-28 17:14:50
Message-ID: 4EAAE30A.4040901 () vulnerability-lab ! com
[Download RAW message or body]

Title:
======
eFront Enterprise v3.6.10 - Multiple Remote Vulnerabilities


Date:
=====
2011-10-27


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=298


VL-ID:
=====
298


Introduction:
=============
Tailored with larger organizations in mind, eFront Enterprise offers solutions for the \
management of companies most  valued asset - the people. Based on a coherent approach to human \
capital management which keeps the workforce actively  engaged, the eFront Enterprise platform \
offers the means of aligning learning programs with business goals to cultivate  employee \
skills and knowledge associated with business performance. eFront Enterprise builds on top of \
eFront Educational.

(Copy of the Vendor Homepage: http://efrontlearning.net/product/efront-enterprise.html)


Abstract:
=========
An anonymous Researcher of the Vulnerability Laboratory Team discovered multiple remote \
vulnerabilties on the eFronts Enterprise CMS v3.6.10


Report-Timeline:
================
2011-10-20:	Vendor Notification
2011-10-21:	Vendor Response/Feedback
2011-10-26:	Vendor Fix/Patch
2011-10-27:	Public or Non-Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
An anonymous Researcher of the Vulnerability Laboratory Team discovered a multiple sql \
injection vulnerabilities on eFronts Enterprise CMS v3.6.10. The vulnerability allows an remote \
attacker or local privileged user account(low:trainee) to inject own sql commands/statements \
over  a vulnerable param. Successful exploitation of the sql injection vulnerability can result \
in dbms & cms compromise.

Vulnerable Module(s):
			                         	[+] survey

Vulnerable File(s):
			                         	[+] professor.php

Vulnerable Param(s):
			                         	[+] ?ctg=survey&surveys_ID=
                                                        [+] ?ctg=survey&screen_survey=

1.2
An anonymous Researcher of the Vulnerability Lab Team discovered a database disclosure \
vulnerability on eFronts Enterprise CMS v3.6.10. Successful exploitation can result in a \
database steal after upgrade or installation of the CMS.

Vulnerable Module(s):
			                         	[+] Install

Vulnerable File(s):
			                         	[+] install.php

Vulnerable Param(s):
			                         	[+] ?step=2&upgrade=1


Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers & local low privileged user accounts.
For demonstration or reproduce ...

1.1 - SQL Injection Vulnerabilities

PoC:
http://xxx.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=0--
http://xxx.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=1--


1.2 -  Database Disclosure Vulnerability

PoC:
http://www.xxx.com/e-learning/www/install2/install.php?step=2&upgrade=1   <View Source>


Solution:
=========
2011-10-26:	Vendor Fix/Patch  => http://forum.efrontlearning.net/viewtopic.php?f=15&t=3501


Risk:
=====
The security risk of the vulnerabilities are estimated as high(+).


Credits:
========
Vulnerability Research Laboratory - Mohammed Abdelkader A.


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties,  either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business  profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some  states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation  may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of  other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2011|Vulnerability-Lab




-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic