164 lines
No EOL
5 KiB
Text
164 lines
No EOL
5 KiB
Text
Security Advisory - Curesec Research Team
|
|
|
|
1. Introduction
|
|
|
|
Affected Product: Atutor 2.2
|
|
Fixed in: partly in ATutor 2.2.1-RC1, complete in 2.2.1
|
|
Fixed Version Link: http://www.atutor.ca/atutor/download.php
|
|
Vendor Website: http://www.atutor.ca/
|
|
Vulnerability Type: XSS
|
|
Remote Exploitable: Yes
|
|
Reported to vendor: 11/17/2015
|
|
Disclosed to public: 02/01/2016
|
|
Release mode: Coordinated Release
|
|
CVE: n/a
|
|
Credits Tim Coen of Curesec GmbH
|
|
|
|
2. Overview
|
|
|
|
Atutor is a learning management system (LMS) written in PHP. In version 2.2, it
|
|
is vulnerable to multiple reflected and persistent XSS attacks.
|
|
|
|
The vulnerabilities can lead to the stealing of cookies, injection of
|
|
keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a
|
|
successful exploitation can lead to code execution via the theme uploader, and
|
|
if the victim is an instructor, this can lead to code execution via a file
|
|
upload vulnerability in the same version of Atutor.
|
|
|
|
3. Details
|
|
|
|
XSS 1: Reflected XSS - Calendar
|
|
|
|
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
|
|
|
|
Description: The calendar_next parameter of the calendar is vulnerable to XSS.
|
|
This issue has been fixed in ATutor 2.2.1-RC1.
|
|
|
|
Proof of Concept:
|
|
|
|
http://localhost/ATutor/mods/_standard/calendar/getlanguage.php?token=calendar_next<script>alert(1)<%2fscript>&pub=1
|
|
|
|
Code:
|
|
|
|
/mods/_standard/calendar/getlanguage.php
|
|
$token = $_GET['token'];
|
|
echo _AT($token);
|
|
|
|
XSS 2: Persistent XSS - Profile
|
|
|
|
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
|
|
|
|
Description: When saving profile information, < is filtered out. < on the
|
|
other hand is not filtered, but converted to <, which leads to persistent XSS.
|
|
|
|
A user account is needed, but registration is open by default. This issue has
|
|
been fixed in ATutor 2.2.1.
|
|
|
|
Proof of Concept:
|
|
|
|
Visit:
|
|
http://localhost/ATutor/users/profile.php
|
|
In any field, enter
|
|
<img src=no onerror=alert(1)>
|
|
|
|
The input is for example echoed when visiting http://localhost/ATutor/users/
|
|
profile.php. This self-XSS may be exploited by force-logging in the victim.
|
|
|
|
The input is not only echoed to the user themselves, but also in other places.
|
|
|
|
For example, an attacker could send a private message to a victim. When the
|
|
victim views the message, or visits their inbox, the injected code will be
|
|
executed.
|
|
|
|
XSS 3: Persistent XSS - Forum
|
|
|
|
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
|
|
|
|
Description: When creating a forum post, the Subject parameter is vulnerable to
|
|
persistent XSS.
|
|
|
|
A user account is needed, but registration is open by default. This issue has
|
|
been fixed in ATutor 2.2.1.
|
|
|
|
Proof of Concept:
|
|
|
|
Visit a forum, eg here:
|
|
http://localhost/ATutor/mods/_standard/forums/forum/view.php?fid=1&pid=1
|
|
Post a new message, as Subject, use:
|
|
Re: test topic'"><img src=no onerror=alert(1)>
|
|
|
|
In ATutor 2.2.1-RC1, < and > are encoded, preventing the proof of concept from
|
|
working. But until version 2.2.1, it was still possible to exploit this issue
|
|
either by using the JavaScript context the input is echoed into (onClick), or
|
|
by adding a new attribute:
|
|
|
|
adding new attributes:
|
|
Re: ';" onmouseover="alert(1); var foo='
|
|
staying inside the existing JavaScript context:
|
|
Re: test topic';alert(1);var foo='
|
|
|
|
XSS 4: Persistent self-XSS - Calendar
|
|
|
|
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
|
|
|
|
Description: The event name of the calendar is vulnerable to persistent XSS.
|
|
The calendar seems to be shown only to the user creating it, meaning the only
|
|
way to exploit this issue would be to force-login the victim.
|
|
|
|
A user account is needed, but registration is open by default. This issue has
|
|
been fixed in ATutor 2.2.1-RC1.
|
|
|
|
Proof of Concept:
|
|
|
|
Visit: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php
|
|
Create event with name:
|
|
'"><img src=no onerror=alert(1)>
|
|
Visit event page: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php
|
|
|
|
XSS 5: Persistent XSS - Chat
|
|
|
|
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
|
|
|
|
Description: When viewing the chat history, chat messages are not properly HTML
|
|
encoded, leading to persistent XSS.
|
|
|
|
A user account is needed, but registration is open by default. This issue has
|
|
been fixed in ATutor 2.2.1-RC1.
|
|
|
|
Proof of Concept:
|
|
|
|
1. Visit Chat:
|
|
http://localhost/ATutor/mods/_standard/chat/chat.php
|
|
2. Enter chat message:
|
|
'"><img src=no onerror=alert(1)>
|
|
3. Visit chat history of that user:
|
|
http://localhost/ATutor/mods/_standard/chat/filterHistory.php?filterChatID=[USERNAME]
|
|
|
|
4. Solution
|
|
|
|
To mitigate this issue please upgrade at least to version 2.2.1:
|
|
|
|
http://www.atutor.ca/atutor/download.php
|
|
|
|
Please note that a newer version might already be available.
|
|
|
|
5. Report Timeline
|
|
|
|
11/17/2015 Informed Vendor about Issue
|
|
11/21/2015 Vendor requests more time
|
|
01/06/2016 Vendor releases new release candidate with partial fix
|
|
01/30/2016 Vendor releases complete fix
|
|
02/01/2016 Disclosed to public
|
|
|
|
|
|
Blog Reference:
|
|
https://blog.curesec.com/article/blog/Atutor-22-XSS-149.html
|
|
|
|
--
|
|
blog: https://blog.curesec.com
|
|
tweet: https://twitter.com/curesec
|
|
|
|
Curesec GmbH
|
|
Curesec Research Team
|
|
Romain-Rolland-Str 14-24
|
|
13089 Berlin, Germany |