SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ATutor Vendors:   ATRC
ATutor Input Validation Bugs in Several Scripts Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014216
SecurityTracker URL:  http://securitytracker.com/id/1014216
CVE Reference:   CVE-2005-2044   (Links to External Site)
Updated:  Jul 17 2008
Original Entry Date:  Jun 16 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.4.3, 1.5 RC 1
Description:   Lostmon reported a vulnerability in ATutor. A remote user can conduct cross-site scripting attacks.

Several scripts do not properly validate user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ATutor software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]

http://[target]/ATutor/contact.php?subject=[XSS-CODE]

http://[target]/atutor/content.php?cid=323[XSS-CODE]

http://[target]/atutor/inbox/send_message.php?l=1[XSS-CODE]

http://[target]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search

http://[target]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results

http://[target]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results

http://[target]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results

http://[target]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results

http://[target]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results

http://[target]/ATutor/inbox/index.php?view=1[XSS-CODE]

http://[target]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]

http://[target]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search

http://[target]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search

http://[target]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]

http://[target]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter

http://[target]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter

http://[target]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter

http://[target]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter

http://[target]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]

http://[target]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]

http://[target]/ATutor/directory.php?roles[]=1[XSS-CODE]

Some of the exploit URLs require that the target user be authenticated to the system.

The vendor was notified on June 14, 2005.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ATutor software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.atutor.ca/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  ATutor multiple variable Cross site scripting


################################################
ATutor multiple variable Cross site scripting
vendor url:http://www.atutor.ca/atutor/download.php
ADVISORE:http://lostmon.blogspot.com/2005/06/
atutor-multiple-variable-cross-site.html
VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES
################################################

ATutor is an Open Source Web-based Learning Content
Management System (LCMS) designed with accessibility
and adaptability in mind.

ATutor contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate multiple variables upon submission
to multiple scripts. script.This could allow a user to 
create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


###########
versions:
###########

ATutor 1.4.3  vulnerable
ATutor 1.5 RC 1 vulnerable


#############
solution
#############

no solution was available at this time


##############
timeline
##############

discovered:    10-06-2005
vendor notify: 14-06-2005 (webform)
disclosure:    16-06-2005

##################
Proof of concepts
##################

http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]

http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]

http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]

http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]

http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search

http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results

http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search

http://[VICTIM]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search

http://[VICTIM]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]

for exploting some flaws , need a client login.
Others scripts and others variables are vulnerable
to the same style attack.



Thnx to estrella to be my ligth

-- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ 
-- La curiosidad es lo que hace mover la mente.... 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC