Bug Tracker

Browse through the lastest 25 bug reports in the table below. Click on the Bug ID for a more detailed account of the bug. Select from the links to browse or search the bug tracker, to request a bug tracker account (open to ATutor developers), or to report a bug to the Bug Report Forum.

Browse Bug Tracker Anonymously | Request Bug Tracker Account | Report Bugs

Current Bug Summary


Bug IDSummaryDescription
5682 Create folder XSS

Status: Assigned
Date Submitted: 1463082356
Last Updated: 1463082356
Severity: Minor
Resolution: Open

Hello,
I have done the steps below:
- first step:
I logged in as a demo user
- second step:
I jumped to the URL : https://demo.atutorspaces.com/mods/_core/editor/edit_content_folder.php?
- third step:
I injected a script code , then i realized that your demo website is vulnerable to an stored XSS, attached u will find some screen-shots.
5680 Enroll form for new registrants

Status: Resolved
Date Submitted: 1461772335
Last Updated: 1461975054
Severity: Minor
Resolution: Fixed

After clicking the enroll link while not logged in, then choosing New User>Register the registration form has no fields to fill in.
5679 stripslashes site title

Status: Resolved
Date Submitted: 1461762474
Last Updated: 1461969225
Severity: Minor
Resolution: Fixed

The site title inserts slashes when there's an apostropy in it.
5678 Decimal score in test results

Status: Resolved
Date Submitted: 1461018966
Last Updated: 1461019274
Severity: Minor
Resolution: Fixed

In test test results while editing marks, decimal values appear as 0.

testQuestions.class.php L567
5667 starting a transcript redirect

Status: Closed
Date Submitted: 1459115173
Last Updated: 1460905069
Severity: Minor
Resolution: Unable to Duplicate

When accessing the create transcript form through the manage submenu, when saved, instead of returning to the chat opening page, it redirects to the instructor's Manage screen.
5673 Bounce not bouncing to public courses

Status: Acknowledged
Date Submitted: 1459361446
Last Updated: 1460904904
Severity: Major
Resolution: Open

Clicking on a public course, either in browser courses or my start, just reloads the page or redrects to the login page.
5674 Custom Course Icons break after update

Status: Resolved
Date Submitted: 1459362489
Last Updated: 1460904835
Severity: Minor
Resolution: Fixed

Custom course icons no longer appear after the update. Probably related to the basename() addition. May need to be replaced with the ".." replacement regex.
5675 Home banner images break.

Status: Resolved
Date Submitted: 1459362699
Last Updated: 1460904758
Severity: Minor
Resolution: Fixed

Images in the Home page banner break after update. Needs whitelist, or stripslahes.
5642 Step 2 Install create DB

Status: Resolved
Date Submitted: 1457100628
Last Updated: 1460837940
Severity: Minor
Resolution: Fixed

A blank screen appears in step 2 of an installation if the database user does not have create database permission
5645 cron syspref language

Status: Resolved
Date Submitted: 1457305764
Last Updated: 1460837918
Severity: Minor
Resolution: Fixed

The cron option in system preferences has two Enabled labels.
5648 Cancel Import Broken

Status: Resolved
Date Submitted: 1457553918
Last Updated: 1460837892
Severity: Minor
Resolution: Fixed

When cancelling an import vi link from AContent search in ATutor, the download popup opens. found on the demo site.
5653 confirm.php php type juggling authentication bypass vulnerabilities

Status: Resolved
Date Submitted: 1458247578
Last Updated: 1460837806
Severity: Major
Resolution: Fixed

So, there are 2 authentication bypass vulnerabilities within the confirm.php script.

update email type juggling authentication bypass
```````````````````````````````````````````
This occurs on line 36:

if ($code == $m) {

This code is vulnerable to an authentication bypass due to the loose ==. To patch this just change the == to ===.

impact:
```````
The ability for an attacker to change the email address of any member, then the attacker can reset the password of the member via email and login, thus bypassing authentication.

2. auto login type juggling authentication bypass
```````````````````````````````````````````
This occurs on line 151:

if ($row['member_id'] != '' && isset($_REQUEST['code']) && $_REQUEST['code'] == $code)

This code is vulnerable to an authentication bypass due to the loose ==. To patch this just change the == to ===.

impact:
```````
The ability for an attacker achieve a valid session of the targeted member_id and bypass authentication.
5654 Failed logic password_reminder.php Remote Password Reset vulnerability

Status: Resolved
Date Submitted: 1458337397
Last Updated: 1460837729
Severity: Major
Resolution: Fixed

There a failed logic flaw in the password_reminder.php script that we can leverage for a remote password reset without requiring any kind of authentication or interaction via email. This is fatal mistake.

--------------------------------------------------------------------------------------------
} else if (isset($_REQUEST['id']) && isset($_REQUEST['g']) && isset($_REQUEST['h'])) {
//coming from an email link
//check if expired
$current = intval(((time()/60)/60)/24);
$expiry_date = $_REQUEST['g'] + AT_PASSWORD_REMINDER_EXPIRY; //2 days after creation
if ($current > $expiry_date) {
$msg->addError('INVALID_LINK');
$savant->display('password_reminder_feedback.tmpl.php');
exit;
}
/* check if already visited (possibley add a "last login" field to members table)... if password was changed, won't work anyway. do later. */
//check for valid hash
$sql = "SELECT password, email FROM %smembers WHERE member_id=%d";
$row = queryDB($sql, array(TABLE_PREFIX, $_REQUEST['id']), TRUE);
if (isset($row['email']) && $row['email'] != '') {
$email = $row['email'];
$hash = sha1($_REQUEST['id'] + $_REQUEST['g'] + $row['password']);
$hash_bit = substr($hash, 5, 15);
if ($_REQUEST['h'] != $hash_bit) {
$msg->addError('INVALID_LINK');
$savant->display('password_reminder_feedback.tmpl.php');
--------------------------------------------------------------------------------------------

Although this vulnerability is very hard to see, we start out by setting the id, g and h REQUEST. The g variable is used to calculate the expiry_date variable and needs to ensure that the value is greater than the number of days since epoch (1/1/1970).

Then later in the code, the our controlled h REQUEST variable is compared against a computed string. If it fails, the INVALID_LINK error is appended to our session array using $msg->addError('INVALID_LINK');. The problem arises on the next line of code. The call to $savant->display('password_reminder_feedback.tmpl.php'); actually includes that PHP file (and subsequently several other PHP files). Eventually, one of the files calls session_start() and rewrites our session to not contain our error in it. This essentially erases the error that the previous line appended!

Why is this important? Lets see in the next few lines of code.

--------------------------------------------------------------------------------------------
//changing the password
if (isset($_POST['form_change'])) {
/* password check: password is verified front end by javascript. here is to handle the errors from javascript */
if ($_POST['password_error'] <> ""){
$pwd_errors = explode(",", $_POST['password_error']);
foreach ($pwd_errors as $pwd_error){
if ($pwd_error == "missing_password")
$missing_fields[] = _AT('password');
else
$msg->addError($pwd_error);
}
}

if (!$msg->containsErrors()) {
//save data
$password = $addslashes($_POST['form_password_hidden']);

$sql = "UPDATE %smembers SET password='%s', last_login=last_login, creation_date=creation_date WHERE member_id=%d";
$result = queryDB($sql,array(TABLE_PREFIX, $password, $_REQUEST['id']));
--------------------------------------------------------------------------------------------

The code continues (even if we hit that error) then checks for the presence of the POST variable form_change. We need to sure that we do not include the POST variable password_error (generated from client side JavaScript) otherwise we will append errors to our session array. Then finally, a check is done on our session array if (!$msg->containsErrors()) then the code proceeds to update the members table with the supplied POST variable form_password_hidden

Patch??

Please just remove the line here:

$savant->display('password_reminder_feedback.tmpl.php');

5655 Arbitray file read in view_item.php

Status: Resolved
Date Submitted: 1458401841
Last Updated: 1460837702
Severity: Minor
Resolution: Fixed

http://172.16.175.152/ATutor/mods/_standard/forums/view_item.php?url=/etc/passwd&h=


define('AT_INCLUDE_PATH', '../../../include/');
require(AT_INCLUDE_PATH.'vitals.inc.php');

$url = urldecode($_GET['url']);

@readfile($_GET['url']);


5661 Side menu editor

Status: Resolved
Date Submitted: 1458749210
Last Updated: 1460837672
Severity: Minor
Resolution: Fixed

The side menu boxes reset to nothing if edited via Course Tools>Side Menu
5663 Footer logo missing in a course

Status: Resolved
Date Submitted: 1458927262
Last Updated: 1460837645
Severity: Minor
Resolution: Fixed

While in a course, the logo in the footer is a broken image. Missing get.php.
5662 Import Cartridge from AContent

Status: Resolved
Date Submitted: 1458749864
Last Updated: 1460837619
Severity: Minor
Resolution: Fixed

Importing a cartridge via AContent search, produces "not a zip file" error.
5636 create new file in folder

Status: Resolved
Date Submitted: 1456585559
Last Updated: 1460837581
Severity: Minor
Resolution: Fixed

When creating a new file inside a folder, the file gets saved into the filemanager's root directory. Missing the pathext value.
3715 additional name formats

Status: Resolved
Date Submitted: 1235383250
Last Updated: 1460837554
Severity: Feature
Resolution: Fixed

Japanese, and other languages, present last name first. Some of the following formats could be added.

http://www.atutor.ca/view/2/16741/1.html
5665 Admin photo album ids mismatch

Status: Resolved
Date Submitted: 1459104826
Last Updated: 1460837532
Severity: Minor
Resolution: Fixed

Clicking on a photo album list in themes/default/photos/admin/pa_index.tmpl.php activate the album in the next row.
5666 Admin Edit LTI handbook missing

Status: Resolved
Date Submitted: 1459105795
Last Updated: 1460837509
Severity: Minor
Resolution: Fixed

The handbook link is missing on the edit LTI screen
5676 CC/QTI Import Multiple Answer

Status: Resolved
Date Submitted: 1460232383
Last Updated: 1460837472
Severity: Minor
Resolution: Fixed

When impoting a qti package or common cartidge, that has a multiple answer question in the test, it attempts to insert the same question ID twice. Appears to be occuring in the importQuestions() funciton in QTIImport.class.php
5677 Multiple Answer QTI import fails

Status: New
Date Submitted: 1460835176
Last Updated: 1460835176
Severity: Minor
Resolution: Open

Unable to get multiple answer questions to import when part of a QTI quiz attached to a common cartridge.
5617 Google Calendars require OAuth 2

Status: New
Date Submitted: 1451943439
Last Updated: 1459293633
Severity: Major
Resolution: Open

As of April 20, 2015 OAuth2 is required for google api access. Cpnnecting to google calendars from ATutor is currently not possible for any new connections. Existing OAuth1 connections will continue for a while.

Calendar API
https://developers.google.com/google-apps/calendar/?csw=1
https://developers.google.com/google-apps/calendar/overview
https://developers.google.com/google-apps/calendar/quickstart/php
5672 Add event to day calendar looses time

Status: New
Date Submitted: 1459293609
Last Updated: 1459293633
Severity: Minor
Resolution: Open

Adding an event to the calendar from the day view, always creates a full day event.