Title: AContent 1.1 (category_name) Remote Script Insertion Vulnerability
Advisory ID: ZSL-2011-5033
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.08.2011

Summary

AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content. It can be used along with learning management systems to develop, share, and archive learning materials.

Description

AContent suffers from a stored cross-site scripting vulnerability. Input thru the POST parameter 'category_name' in '/course_category/index.php' is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site. Auth needed for script insertion.

Vendor

ATutor (Inclusive Design Institute) - http://www.atutor.ca

Affected Version

1.1 (build r296)

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

[03.08.2011] Submited vulnerability details to vendor's bug tracking system.
[05.08.2011] No reaction from vendor.
[06.08.2011] Public security advisory released.
[23.09.2011] Vendor releases fix.

PoC

acontent_storedxss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://atutor.ca/atutor/mantis/view.php?id=4804
[2] http://securityreason.com/wlb_show/WLB-2011080045
[3] http://www.exploit-db.com/exploits/17629/
[4] http://packetstormsecurity.org/files/103761
[5] http://www.securityfocus.com/bid/49066
[6] http://secunia.com/advisories/45560
[7] http://xforce.iss.net/xforce/xfdb/69076
[8] http://osvdb.org/show/osvdb/74454

Changelog

[06.08.2011] - Initial release
[08.08.2011] - Added reference [4] and [5]
[09.08.2011] - Added reference [6]
[11.08.2011] - Added reference [7]
[12.08.2011] - Added reference [8]
[23.09.2011] - Added vendor status

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk