Bug Tracker

Browse through the lastest 25 bug reports in the table below. Click on the Bug ID for a more detailed account of the bug. Select from the links to browse or search the bug tracker, to request a bug tracker account (open to ATutor developers), or to report a bug to the Bug Report Forum.

Browse Bug Tracker Anonymously | Request Bug Tracker Account | Report Bugs

Current Bug Summary


Bug IDSummaryDescription
5682 Create folder XSS

Status: Closed
Date Submitted: 1463082356
Last Updated: 1468256626
Severity: Minor
Resolution: Fixed

Hello,
I have done the steps below:
- first step:
I logged in as a demo user
- second step:
I jumped to the URL : https://demo.atutorspaces.com/mods/_core/editor/edit_content_folder.php?
- third step:
I injected a script code , then i realized that your demo website is vulnerable to an stored XSS, attached u will find some screen-shots.
5696 Manual istall fails at setup db

Status: Resolved
Date Submitted: 1467721886
Last Updated: 1467722056
Severity: Minor
Resolution: Fixed

When installing manually, $db_name as %s is not recognized in the SQL statement SHOW CREATE DATABASE `%s`. Need to remove $db_name from the array.
5695 File overwrite patch status

Status: Resolved
Date Submitted: 1467487597
Last Updated: 1467488483
Severity: Minor
Resolution: Fixed

When a file overwrite patch is installed, its status is not updated to installed
5694 Patcher editor addslashes

Status: Resolved
Date Submitted: 1467465286
Last Updated: 1467488458
Severity: Minor
Resolution: Fixed

When editing patches each save adds an additional slash to each quote.
5692 Untranslated Mobile/Simple Theme

Status: Resolved
Date Submitted: 1467463727
Last Updated: 1467488436
Severity: Minor
Resolution: Fixed

"Don't have an account" is not translated in login.tmpl.php in the mobile and simple themes.
5693 Missing language in mobile login

Status: Closed
Date Submitted: 1467464948
Last Updated: 1467487528
Severity: Minor
Resolution: Unable to Duplicate

Untranslated terms.

[off]
[topics_in]
5624 Upload width custom icon

Status: Closed
Date Submitted: 1452122926
Last Updated: 1467323035
Severity: Minor
Resolution: Fixed

A custom icon that is both higher and wider than the allowed default sizes, resizes to a small square. need to take both hieght and width ratios into account when resizing
5635 Content editor test assoc'n text

Status: Closed
Date Submitted: 1456533118
Last Updated: 1467323035
Severity: Minor
Resolution: Fixed

The text added to a Quiz when associated with content via the Tests & Surveys tab in the content editor, does not appear when the link is rendered to the page.
5638 Handbook link broken

Status: Closed
Date Submitted: 1456787012
Last Updated: 1467323035
Severity: Minor
Resolution: Fixed

The links to the handbooks in the main screen of the popup ATutor handbook, produces "Innaccessible Page" error. Fails on htmlentities($_GET['p']). Add a check for $_GET['p']
5644 module install wrong mod

Status: Closed
Date Submitted: 1457137154
Last Updated: 1467323035
Severity: Major
Resolution: Fixed

The selected module via install modules, is not the module that gets installed
5637 Gradeeboook, grade scale layout

Status: Closed
Date Submitted: 1456667610
Last Updated: 1467323005
Severity: Minor
Resolution: Fixed

The layout of the grade scale page is broken when a custom grade scale is added.

mods/_standard/gradebook/grade_scale.php
5640 Confirm News Feed buttons

Status: Closed
Date Submitted: 1456959903
Last Updated: 1467323005
Severity: Minor
Resolution: Fixed

When an admin adds a news feed via mods/_standard/rss_feeds/add_feed.php

there is no confirm button in the confirmation step, to complete the addition to the db.
5643 Mobile hardcoded language

Status: Closed
Date Submitted: 1457116046
Last Updated: 1467323005
Severity: Minor
Resolution: Fixed

See attached PDF for possible hardcoded language in the mobile theme.
3715 additional name formats

Status: Closed
Date Submitted: 1235383250
Last Updated: 1467323004
Severity: Feature
Resolution: Fixed

Japanese, and other languages, present last name first. Some of the following formats could be added.

http://www.atutor.ca/view/2/16741/1.html
5636 create new file in folder

Status: Closed
Date Submitted: 1456585559
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

When creating a new file inside a folder, the file gets saved into the filemanager's root directory. Missing the pathext value.
5647 Instr Create Course sys pref

Status: Closed
Date Submitted: 1457548222
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

The Instructor can create course setting in system preferences is not working on the demo site.
5654 Failed logic password_reminder.php Remote Password Reset vulnerability

Status: Closed
Date Submitted: 1458337397
Last Updated: 1467323004
Severity: Major
Resolution: Fixed

There a failed logic flaw in the password_reminder.php script that we can leverage for a remote password reset without requiring any kind of authentication or interaction via email. This is fatal mistake.

--------------------------------------------------------------------------------------------
} else if (isset($_REQUEST['id']) && isset($_REQUEST['g']) && isset($_REQUEST['h'])) {
//coming from an email link
//check if expired
$current = intval(((time()/60)/60)/24);
$expiry_date = $_REQUEST['g'] + AT_PASSWORD_REMINDER_EXPIRY; //2 days after creation
if ($current > $expiry_date) {
$msg->addError('INVALID_LINK');
$savant->display('password_reminder_feedback.tmpl.php');
exit;
}
/* check if already visited (possibley add a "last login" field to members table)... if password was changed, won't work anyway. do later. */
//check for valid hash
$sql = "SELECT password, email FROM %smembers WHERE member_id=%d";
$row = queryDB($sql, array(TABLE_PREFIX, $_REQUEST['id']), TRUE);
if (isset($row['email']) && $row['email'] != '') {
$email = $row['email'];
$hash = sha1($_REQUEST['id'] + $_REQUEST['g'] + $row['password']);
$hash_bit = substr($hash, 5, 15);
if ($_REQUEST['h'] != $hash_bit) {
$msg->addError('INVALID_LINK');
$savant->display('password_reminder_feedback.tmpl.php');
--------------------------------------------------------------------------------------------

Although this vulnerability is very hard to see, we start out by setting the id, g and h REQUEST. The g variable is used to calculate the expiry_date variable and needs to ensure that the value is greater than the number of days since epoch (1/1/1970).

Then later in the code, the our controlled h REQUEST variable is compared against a computed string. If it fails, the INVALID_LINK error is appended to our session array using $msg->addError('INVALID_LINK');. The problem arises on the next line of code. The call to $savant->display('password_reminder_feedback.tmpl.php'); actually includes that PHP file (and subsequently several other PHP files). Eventually, one of the files calls session_start() and rewrites our session to not contain our error in it. This essentially erases the error that the previous line appended!

Why is this important? Lets see in the next few lines of code.

--------------------------------------------------------------------------------------------
//changing the password
if (isset($_POST['form_change'])) {
/* password check: password is verified front end by javascript. here is to handle the errors from javascript */
if ($_POST['password_error'] <> ""){
$pwd_errors = explode(",", $_POST['password_error']);
foreach ($pwd_errors as $pwd_error){
if ($pwd_error == "missing_password")
$missing_fields[] = _AT('password');
else
$msg->addError($pwd_error);
}
}

if (!$msg->containsErrors()) {
//save data
$password = $addslashes($_POST['form_password_hidden']);

$sql = "UPDATE %smembers SET password='%s', last_login=last_login, creation_date=creation_date WHERE member_id=%d";
$result = queryDB($sql,array(TABLE_PREFIX, $password, $_REQUEST['id']));
--------------------------------------------------------------------------------------------

The code continues (even if we hit that error) then checks for the presence of the POST variable form_change. We need to sure that we do not include the POST variable password_error (generated from client side JavaScript) otherwise we will append errors to our session array. Then finally, a check is done on our session array if (!$msg->containsErrors()) then the code proceeds to update the members table with the supplied POST variable form_password_hidden

Patch??

Please just remove the line here:

$savant->display('password_reminder_feedback.tmpl.php');

5655 Arbitray file read in view_item.php

Status: Closed
Date Submitted: 1458401841
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

http://172.16.175.152/ATutor/mods/_standard/forums/view_item.php?url=/etc/passwd&h=


define('AT_INCLUDE_PATH', '../../../include/');
require(AT_INCLUDE_PATH.'vitals.inc.php');

$url = urldecode($_GET['url']);

@readfile($_GET['url']);


5656 Arbitray file read in mods/_standard/chat/view_transcript.php

Status: Closed
Date Submitted: 1458402313
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

Authentication can be bypassed to reach this.

@readfile(AT_CONTENT_DIR . 'chat/'.$_SESSION['course_id'].'/tran/'.$_GET['t'].'.html');

http://172.16.175.152/ATutor/mods/_standard/chat/view_transcript.php?t=../../../../../../../../../etc/passwd%00&h=

Needs a null byte injection, still, exploitable on older versions of php
5657 Arbitray file read in mods/_standard/chat/manage/view_transcript.php

Status: Closed
Date Submitted: 1458403169
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

Again, auth not required... it can be bypassed

$file = AT_CONTENT_DIR . 'chat/'.$_SESSION['course_id'].'/tran/'.$_GET['t'].'.html';
if (!file_exists($file)) {
$msg->addError('FILE_NOT_FOUND');
header('Location: index.php');
exit;
}
require(AT_INCLUDE_PATH.'header.inc.php');
@readfile($file)

PoC:
http://172.16.175.152/ATutor/mods/_standard/chat/manage/view_transcript.php?t=../../../../../../../../../etc/passwd%00&h= [^]
5658 write_temp_file() File Write Remote Code Execution

Status: Closed
Date Submitted: 1458404016
Last Updated: 1467323004
Severity: Major
Resolution: Fixed

In editor_tab_functions.inc.php, I see:

function write_temp_file() {
global $_POST, $msg;

if (defined('AT_FORCE_GET_FILE') && AT_FORCE_GET_FILE) {
$content_base = 'get.php/';
} else {
$content_base = 'content/' . $_SESSION['course_id'] . '/';
}

if ($_POST['content_path']) {
$content_base .= $_POST['content_path'] . '/';
}

$file_name = $_POST['cid'].'.html';

if ($handle = fopen(AT_CONTENT_DIR . $file_name, 'wb+')) {

if (!@fwrite($handle, stripslashes($_POST['body_text']))) {
$msg->addError('FILE_NOT_SAVED');
}
} else {
$msg->addError('FILE_NOT_SAVED');
}
$msg->printErrors();
}

A file handle is created using POST 'cid' and then it is written to using POST 'body_text'. On older versions of php or php-cgi, this is exploitable to write a php file in the web root.

cid=../../../../../../../var/www/html/ATutor/mods/hax.php%00&body_text=

Come on man, this code is rough.

5661 Side menu editor

Status: Closed
Date Submitted: 1458749210
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

The side menu boxes reset to nothing if edited via Course Tools>Side Menu
5662 Import Cartridge from AContent

Status: Closed
Date Submitted: 1458749864
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

Importing a cartridge via AContent search, produces "not a zip file" error.
5663 Footer logo missing in a course

Status: Closed
Date Submitted: 1458927262
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

While in a course, the logo in the footer is a broken image. Missing get.php.
5665 Admin photo album ids mismatch

Status: Closed
Date Submitted: 1459104826
Last Updated: 1467323004
Severity: Minor
Resolution: Fixed

Clicking on a photo album list in themes/default/photos/admin/pa_index.tmpl.php activate the album in the next row.