MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005769ATutor- no cat -public2017-03-03 18:452017-03-03 19:35
Reportergreg 
Assigned Togreg 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version2.2.3Fixed in Version2.2.3 
Summary0005769: Edit Language
DescriptionProduct: ATutor
Download: https://github.com/atutor/ATutor [^]
Vunlerable Version: 2.2.2 and probably prior
Tested Version: 2.2.2
Author: Haojun Hou in ADLab of Venustech

Advisory Details:
Multiple Cross-Site Scripting (XSS) were discovered in“ATutor 2.2.2”, which can be exploited to execute arbitrary code.
The vulnerabilities exist due to insufficient filtration of user-supplied data in the “lang_code” HTTP GET parameter passed to “ATutor-master/themes/default/admin/system_preferences/language_edit.tmpl.php” ?“ATutor-master/themes/mobile/admin/system_preferences/language_edit.tmpl.php” and “ATutor-master/themes/simplified_desktop/admin/system_preferences/language_edit.tmpl.php”urls. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox:
Poc:
(1)
http://localhost/.../ATutor-master/themes/default/admin/system_preferences/language_edit.tmpl.php?lang_code=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22 [^]
(2)
http://localhost/.../ATutor-master/themes/mobile/admin/system_preferences/language_edit.tmpl.php?lang_code=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22 [^]
(3)
http://localhost/.../ATutor-master/themes/simplified_desktop/admin/system_preferences/language_edit.tmpl.php?lang_code=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22 [^]
TagsNo tags attached.
Affects versionSVN
SVN Revision#add6ce0..25318a7 master -> master
Attached Files

- Relationships

-  Notes
(0007545)
greg (administrator)
2017-03-03 19:35

urlencode GET var passed into language editor template
patched for 2.2.2 0008

- Issue History
Date Modified Username Field Change
2017-03-03 18:45 greg New Issue
2017-03-03 19:35 greg SVN Revision# => add6ce0..25318a7 master -> master
2017-03-03 19:35 greg Note Added: 0007545
2017-03-03 19:35 greg Status new => resolved
2017-03-03 19:35 greg Fixed in Version => 2.2.3
2017-03-03 19:35 greg Resolution open => fixed
2017-03-03 19:35 greg Assigned To => greg


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker