ATutor 2.2 – XSS Vulnerabilities

S├ębastien Morin has discovered multiple XSS vulnerabilities in version 2.2 of Atutor, an Open Source Web-based Learning Content Management System (LCMS). This could allow malicious users to create a specially crafted POST request that would execute arbitrary code in a user’s browser in order to gather data from them or to modify the content of the page presented to the user.

##################################################################################

# Title: ATutor 2.2 XSS vulnerabilites
# Application: ATutor (LCMS)
# Version: 2.2
# Software Link: http://www.atutor.ca/
# Date: 2015-02-08
# Author: S├ębastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications

########################################################################################

===================
Introduction:
===================

ATutor is an Open Source Web-based Learning Content Management System (LCMS). ATutor is used in various contexts, including online course management, continuing professional development for teachers, career development, and academic research.

(http://en.wikipedia.org/wiki/ATutor)

########################################################################################

===================
Report Timeline:
===================

2015-02-06 Vulnerability discovered
2015-02-08 Vulnerability reported to vendor
2015-02-08 Vendor response
2015-02-11 Vendor confirmed
2015-09-09 Advisory release

########################################################################################

===================
Technical details:
===================

1. XSS:
========

ATutor 2.2 contains a flaw that allows a remote cross site scripting attack. This could allow malicious users to create a specially crafted URL that would execute arbitrary code in a user’s browser in order to gather data from them or to modify the content of the page presented to the user.

Exploit Example:

All the documentation section is affected by XSS:

  • http://{TARGET}/ATutor/documentation/admin/?%22onmouseover%3d’prompt(123)’bad%3d%22>
  • http://{TARGET}/ATutor/documentation/general/?%22onmouseover%3d’prompt(123)’bad%3d%22>
  • http://{TARGET}/ATutor/documentation/instructor/?%22onmouseover%3d’prompt(123)’bad%3d%22>

And many others..

It is possible to inject XSS after the URL. A good practice is to always filter metacharacters in order to prevent this type of vulnerabilities.

About the author

smsecurity

View all posts