PDA

Bekijk Volledige Versie : Secunia Research: ATutor Multiple Vulnerabilities



Secunia Research
27/10/05, 20:10
================================================== ====================

Secunia Research 27/10/2005

- ATutor Multiple Vulnerabilities -

================================================== ====================
Table of Contents

Affected Software.......................................... ..........1
Severity.......................................... ...................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities................................... ....4
Solution.......................................... ...................5
Time Table............................................. ..............6
Credits........................................... ...................7
About Secunia........................................... .............8
Verification...................................... ...................9

================================================== ====================
1) Affected Software

ATutor 1.5.1-pl1

Other versions may also be affected.

================================================== ====================
2) Severity

Rating: Highly critical
Impact: System access, exposure of sensitive information, and
cross-site scripting
Where: Remote

================================================== ====================
3) Vendor's Description of Software

ATutor is an Open Source Web-based Learning Content Management System
(LCMS) designed with accessibility and adaptability in mind.

Product link:
http://atutor.ca/

================================================== ====================
4) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in ATutor, which
can be exploited by malicious people to conduct cross-site scripting
attacks, disclose sensitive information, and compromise a vulnerable
system.

1) Input passed to the "addslashes", "asc", and "desc" parameters in
"include/html/forum.inc.php" isn't properly verified, before it is
used to create a function call. This can be exploited to call an
arbitrary PHP function with an arbitrary parameter (e.g. execute
arbitrary shell commands with the "exec" function).

Examples:
http://[host]/include/html/forum.inc.php?
addslashes=[function]&asc=[parameter]
http://[host]/include/html/forum.inc.php?
addslashes=[function]&desc=[parameter]

Successful exploitation requires that "register_globals" is enabled.

2) Input passed to the "section" parameter in "body_header.inc.php"
and "print.php" isn't properly verified, before it is used to include
files. This can be exploited to include arbitrary files from local
resources.

Examples:
http://[host]/documentation/common/body_header.inc.php?
section=[file]%00
http://[host]/documentation/common/print.php?section=[file]%00

Successful exploitation requires that "register_globals" is enabled
and that "magic_quotes_gpc" is disabled.

3) Input passed to the "_base_href" parameter in
"admin/translate.php", the "_base_path" parameter in
"include/html/editor_tabs/news.inc.php", and the "p" parameter in
"documentation/add_note.php" isn't properly sanitised before being
returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in context of an
affected site.

The vulnerabilities have been confirmed in version 1.5.1-pl1. Other
versions may also be affected.

================================================== ====================
5) Solution

Apply patch.
http://atutor.ca/view/3/6158/1.html

The fixes will also be included in the upcoming 1.5.2 version.

================================================== ====================
6) Time Table

10/10/2005 - Vulnerability discovered.
11/10/2005 - Vendor notified.
27/10/2005 - Vendor releases patch.
27/10/2005 - Public disclosure.

================================================== ====================
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

================================================== ====================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

================================================== ====================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-55/advisory/

================================================== ====================