======================================================================
Secunia Research 27/10/2005
- ATutor Multiple Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
1) Affected Software
ATutor 1.5.1-pl1
Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access, exposure of sensitive information, and
cross-site scripting
Where: Remote
======================================================================
3) Vendor's Description of Software
ATutor is an Open Source Web-based Learning Content Management System
(LCMS) designed with accessibility and adaptability in mind.
Product link:
http://atutor.ca/
======================================================================
4) Description of Vulnerabilities
Secunia Research has discovered some vulnerabilities in ATutor, which
can be exploited by malicious people to conduct cross-site scripting
attacks, disclose sensitive information, and compromise a vulnerable
system.
1) Input passed to the "addslashes", "asc", and "desc" parameters in
"include/html/forum.inc.php" isn't properly verified, before it is
used to create a function call. This can be exploited to call an
arbitrary PHP function with an arbitrary parameter (e.g. execute
arbitrary shell commands with the "exec" function).
Examples:
http://[host]/include/html/forum.inc.php?
addslashes=[function]&asc=[parameter]
http://[host]/include/html/forum.inc.php?
addslashes=[function]&desc=[parameter]
Successful exploitation requires that "register_globals" is enabled.
2) Input passed to the "section" parameter in "body_header.inc.php"
and "print.php" isn't properly verified, before it is used to include
files. This can be exploited to include arbitrary files from local
resources.
Examples:
http://[host]/documentation/common/body_header.inc.php?
section=[file]%00
http://[host]/documentation/common/print.php?section=[file]%00
Successful exploitation requires that "register_globals" is enabled
and that "magic_quotes_gpc" is disabled.
3) Input passed to the "_base_href" parameter in
"admin/translate.php", the "_base_path" parameter in
"include/html/editor_tabs/news.inc.php", and the "p" parameter in
"documentation/add_note.php" isn't properly sanitised before being
returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in context of an
affected site.
The vulnerabilities have been confirmed in version 1.5.1-pl1. Other
versions may also be affected.
======================================================================
5) Solution
Apply patch.
http://atutor.ca/view/3/6158/1.html
The fixes will also be included in the upcoming 1.5.2 version.
======================================================================
6) Time Table
10/10/2005 - Vulnerability discovered.
11/10/2005 - Vendor notified.
27/10/2005 - Vendor releases patch.
27/10/2005 - Public disclosure.
======================================================================
7) Credits
Discovered by Andreas Sandblad, Secunia Research.
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-55/advisory/
======================================================================