OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Secunia Research: ATutor Multiple Vulnerabilities

From: Secunia Research (vulnsecunia.com)
Date: Thu Oct 27 2005 - 09:56:06 CDT


======================================================================

                     Secunia Research 27/10/2005

                  - ATutor Multiple Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

ATutor 1.5.1-pl1

Other versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access, exposure of sensitive information, and
        cross-site scripting
Where: Remote

======================================================================
3) Vendor's Description of Software

ATutor is an Open Source Web-based Learning Content Management System
(LCMS) designed with accessibility and adaptability in mind.

Product link:
http://atutor.ca/

======================================================================
4) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in ATutor, which
can be exploited by malicious people to conduct cross-site scripting
attacks, disclose sensitive information, and compromise a vulnerable
system.

1) Input passed to the "addslashes", "asc", and "desc" parameters in
"include/html/forum.inc.php" isn't properly verified, before it is
used to create a function call. This can be exploited to call an
arbitrary PHP function with an arbitrary parameter (e.g. execute
arbitrary shell commands with the "exec" function).

Examples:
http://[host]/include/html/forum.inc.php?
addslashes=[function]&asc=[parameter]
http://[host]/include/html/forum.inc.php?
addslashes=[function]&desc=[parameter]

Successful exploitation requires that "register_globals" is enabled.

2) Input passed to the "section" parameter in "body_header.inc.php"
and "print.php" isn't properly verified, before it is used to include
files. This can be exploited to include arbitrary files from local
resources.

Examples:
http://[host]/documentation/common/body_header.inc.php?
section=[file]%00
http://[host]/documentation/common/print.php?section=[file]%00

Successful exploitation requires that "register_globals" is enabled
and that "magic_quotes_gpc" is disabled.

3) Input passed to the "_base_href" parameter in
"admin/translate.php", the "_base_path" parameter in
"include/html/editor_tabs/news.inc.php", and the "p" parameter in
"documentation/add_note.php" isn't properly sanitised before being
returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in context of an
affected site.

The vulnerabilities have been confirmed in version 1.5.1-pl1. Other
versions may also be affected.

======================================================================
5) Solution

Apply patch.
http://atutor.ca/view/3/6158/1.html

The fixes will also be included in the upcoming 1.5.2 version.

======================================================================
6) Time Table

10/10/2005 - Vulnerability discovered.
11/10/2005 - Vendor notified.
27/10/2005 - Vendor releases patch.
27/10/2005 - Public disclosure.

======================================================================
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-55/advisory/

======================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/