SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   ATutor Vendors:   ATRC
ATutor Input Validation Holes Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015165
SecurityTracker URL:  http://securitytracker.com/id/1015165
CVE Reference:   CVE-2005-3403, CVE-2005-3404, CVE-2005-3405   (Links to External Site)
Date:  Nov 8 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.5.1-pl1
Description:   A vulnerability was reported in ATutor. A remote user can execute arbitrary commands on the target system. A remote user can also conduct cross-site scripting attacks.

Several scripts do not properly filter user-supplied input in several parameters.

The 'include/html/forum.inc.php' script does not properly validate user-supplied input in the 'addslashes', 'asc', and 'desc' parameters before using the input as part of a function call. If register_globals is enabled, a remote user can supply a specially crafted URL to execute an arbitrary PHP function. The function will execute with the privileges of the target web service.

The 'body_header.inc.php' and 'print.php' scripts do not properly validate user-supplied input in the 'section' parameter. If register_globals is enabled and magic_quotes_gpc is disabled, a remote user can supply a specially crafted URL to cause arbitrary files on the target system to be included.

Some demonstration exploit URLs are provided:

http://[target]/documentation/common/body_header.inc.php?section=[file]%00

http://[target]/documentation/common/print.php?section=[file]%00

The '_base_href' parameter in the 'admin/translate.php' script, the '_base_path' parameter in the 'include/html/editor_tabs/news.inc.php' script, and the 'p' parameter in the 'documentation/add_note.php' script is not properly validated. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ATutor software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was notified on October 11, 2005.

Impact:   A remote user can execute arbitrary PHP functions on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ATutor software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a patch, available at:

http://atutor.ca/view/3/6158/1.html

The vendor plans to include the fix in a future version (1.5.2).

Vendor URL:  www.atutor.ca/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 27 Oct 2005 16:56:25 +0200
Subject:  Secunia Research: ATutor Multiple Vulnerabilities

======================================================================

                     Secunia Research 27/10/2005

                  - ATutor Multiple Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

ATutor 1.5.1-pl1

Other versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access, exposure of sensitive information, and
        cross-site scripting
Where:  Remote

======================================================================
3) Vendor's Description of Software

ATutor is an Open Source Web-based Learning Content Management System 
(LCMS) designed with accessibility and adaptability in mind.

Product link:
http://atutor.ca/

======================================================================
4) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in ATutor, which 
can be exploited by malicious people to conduct cross-site scripting 
attacks, disclose sensitive information, and compromise a vulnerable 
system.

1) Input passed to the "addslashes", "asc", and "desc" parameters in 
"include/html/forum.inc.php" isn't properly verified, before it is 
used to create a function call. This can be exploited to call an 
arbitrary PHP function with an arbitrary parameter (e.g. execute 
arbitrary shell commands with the "exec" function).

Examples:
http://[host]/include/html/forum.inc.php?
addslashes=[function]&asc=[parameter]
http://[host]/include/html/forum.inc.php?
addslashes=[function]&desc=[parameter]

Successful exploitation requires that "register_globals" is enabled.

2) Input passed to the "section" parameter in "body_header.inc.php" 
and "print.php" isn't properly verified, before it is used to include 
files. This can be exploited to include arbitrary files from local 
resources.

Examples:
http://[host]/documentation/common/body_header.inc.php?
section=[file]%00
http://[host]/documentation/common/print.php?section=[file]%00

Successful exploitation requires that "register_globals" is enabled 
and that "magic_quotes_gpc" is disabled.

3) Input passed to the "_base_href" parameter in 
"admin/translate.php", the "_base_path" parameter in 
"include/html/editor_tabs/news.inc.php", and the "p" parameter in 
"documentation/add_note.php" isn't properly sanitised before being  
returned to the user. This can be exploited to execute arbitrary 
HTML and script code in a user's browser session in context of an 
affected site.

The vulnerabilities have been confirmed in version 1.5.1-pl1. Other 
versions may also be affected.

======================================================================
5) Solution

Apply patch.
http://atutor.ca/view/3/6158/1.html

The fixes will also be included in the upcoming 1.5.2 version.

======================================================================
6) Time Table

10/10/2005 - Vulnerability discovered.
11/10/2005 - Vendor notified.
27/10/2005 - Vendor releases patch.
27/10/2005 - Public disclosure.

======================================================================
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-55/advisory/

======================================================================




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC