AContent 1.1 Multiple Cross-Site Scripting Vulnerabilities

Title: AContent 1.1 Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-5032
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.08.2011
Summary
AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content. It can be used along with learning management systems to develop, share, and archive learning materials.
Description
AContent suffers from multiple XSS vulnerabilities when parsing user input to multiple parameters via GET and POST method in multiple scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.
Vendor
ATutor (Inclusive Design Institute) - http://www.atutor.ca
Affected Version
1.1 (build r296)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[03.08.2011] Submited vulnerability details to vendor's bug tracking system.
[05.08.2011] No reaction from vendor.
[06.08.2011] Public security advisory released.
[23.09.2011] Vendor releases fix.
PoC
acontent_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://atutor.ca/atutor/mantis/view.php?id=4804
[2] http://securityreason.com/wlb_show/WLB-2011080046
[3] http://packetstormsecurity.org/files/103760
[4] http://www.securityfocus.com/bid/49066
[5] http://secunia.com/advisories/45560
[6] http://xforce.iss.net/xforce/xfdb/69076
[7] http://osvdb.org/show/osvdb/74455
[8] http://osvdb.org/show/osvdb/74456
[9] http://osvdb.org/show/osvdb/74457
[10] http://osvdb.org/show/osvdb/74458
[11] http://osvdb.org/show/osvdb/74459
[12] http://osvdb.org/show/osvdb/74460
[13] http://osvdb.org/show/osvdb/74461
[14] http://osvdb.org/show/osvdb/74462
[15] http://osvdb.org/show/osvdb/74463
Changelog
[06.08.2011] - Initial release
[08.08.2011] - Added reference [3] and [4]
[09.08.2011] - Added reference [5]
[11.08.2011] - Added reference [6]
[12.08.2011] - Added reference [7], [8], [9], [10], [11], [12], [13], [14] and [15]
[23.09.2011] - Added vendor status
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk