ATutor AContent 1.1 Script Insertion

Type packetstorm
Reporter LiquidWorm
Modified 2011-08-06T00:00:00


AContent 1.1 (category_name) Remote Script Insertion Vulnerability  
Vendor: ATutor (Inclusive Design Institute)  
Product web page:  
Affected version: 1.1 (build r296)  
Summary: AContent is an open source learning content authoring system  
and respository used to create interoperable, accessible, adaptive  
Web-based learning content. It can be used along with learning management  
systems to develop, share, and archive learning materials.  
Desc: AContent suffers from a stored cross-site scripting vulnerability.  
Input thru the POST parameter 'category_name' in '/course_category/index.php'  
is not sanitized allowing the attacker to execute HTML code into user's  
browser session on the affected site. Auth needed for script insertion.  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Apache 2.2.14 (Win32)  
PHP 5.3.1  
MySQL 5.1.41  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2011-5033  
Advisory URL:  
POST http://localhost/AContent/course_category/index.php HTTP/1.0