AContent 1.1 (category_name) Remote Script Insertion Vulnerability

2011-08-06T00:00:00
ID ZSL-2011-5033
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-08-06T00:00:00

Description

Title: AContent 1.1 (category_name) Remote Script Insertion Vulnerability
Advisory ID: ZSL-2011-5033
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.08.2011

Summary

AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content. It can be used along with learning management systems to develop, share, and archive learning materials.

Description

AContent suffers from a stored cross-site scripting vulnerability. Input thru the POST parameter 'category_name' in '/course_category/index.php' is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site. Auth needed for script insertion.

Vendor

ATutor (Inclusive Design Institute) - <http://www.atutor.ca>

Affected Version

1.1 (build r296)

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

[03.08.2011] Submited vulnerability details to vendor's bug tracking system.
[05.08.2011] No reaction from vendor.
[06.08.2011] Public security advisory released.
[23.09.2011] Vendor releases fix.

PoC

acontent_storedxss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://atutor.ca/atutor/mantis/view.php?id=4804>
[2] <http://securityreason.com/wlb_show/WLB-2011080045>
[3] <http://www.exploit-db.com/exploits/17629/>
[4] <http://packetstormsecurity.org/files/103761>
[5] <http://www.securityfocus.com/bid/49066>
[6] <http://secunia.com/advisories/45560>
[7] <http://xforce.iss.net/xforce/xfdb/69076>
[8] <http://osvdb.org/show/osvdb/74454>

Changelog

[06.08.2011] - Initial release
[08.08.2011] - Added reference [4] and [5]
[09.08.2011] - Added reference [6]
[11.08.2011] - Added reference [7]
[12.08.2011] - Added reference [8]
[23.09.2011] - Added vendor status

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
AContent 1.1 (category_name) Remote Script Insertion Vulnerability


Vendor: ATutor (Inclusive Design Institute)
Product web page: http://www.atutor.ca
Affected version: 1.1 (build r296)

Summary: AContent is an open source learning content authoring system
and respository used to create interoperable, accessible, adaptive
Web-based learning content. It can be used along with learning management
systems to develop, share, and archive learning materials.

Desc: AContent suffers from a stored cross-site scripting vulnerability.
Input thru the POST parameter 'category_name' in '/course_category/index.php'
is not sanitized allowing the attacker to execute HTML code into user's
browser session on the affected site. Auth needed for script insertion.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2011-5033
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5033.php


31.07.2011

--


POST http://localhost/AContent/course_category/index.php HTTP/1.0

 category_name="&gt;&lt;script&gt;alert(1)&lt;/script&gt;&add=Add