Title: PG eLMS Pro vDEC_2007_01 (contact_us.php) Multiple POST XSS Vulnerabilities
Advisory ID: ZSL-2011-5027
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 14.07.2011

Summary

eLMS Pro solution is an outstanding and yet simple Learning Management system. Our product is designed for any education formations: from small distance training companies up to big colleges and universities. The system allows to build courses, import SCORM content, deploy online learning, manage users, communicate with users, track training results, and more.

Description

Input passed via the 'subject', 'name', 'email' and 'body' parameters to 'contact_us.php' script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

PilotGroup Ltd - http://www.elmspro.com

Affected Version

DEC_2007_01

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 1.3.27 (Win32)
PHP 5.2.4
MySQL 14.14 Distrib 5.1.43 (Win32-ia32)

Vendor Status

[08.07.2011] Vulnerability discovered.
[08.07.2011] Initial contact with the vendor.
[13.07.2011] No response from vendor.
[14.07.2011] Public security advisory released.

PoC

elms_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://packetstormsecurity.org/files/103052
[2] http://www.exploit-db.com/exploits/17531/
[3] http://www.securityfocus.com/bid/48681
[4] http://securityreason.com/exploitalert/10621
[5] http://xforce.iss.net/xforce/xfdb/68567
[6] http://secunia.com/advisories/40163/

Changelog

[14.07.2011] - Initial release
[15.07.2011] - Added reference [3] and [4]
[19.07.2011] - Added reference [5] and [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk