← Advisories

AContent 1.1 Multiple Cross-Site Scripting Vulnerabilities

Medium
Advisory ID
ZSL-2011-5032
Release Date
06 August 2011
Vendor
ATutor (Inclusive Design Institute) - http://www.atutor.ca
Affected Version
1.1 (build r296)
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content. It can be used along with learning management systems to develop, share, and archive learning materials.

Description

AContent suffers from multiple XSS vulnerabilities when parsing user input to multiple parameters via GET and POST method in multiple scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
acontent_xss.txtTXT
Disclosure Timeline
03.08.2011Submited vulnerability details to vendor's bug tracking system.
05.08.2011No reaction from vendor.
06.08.2011Public security advisory released.
23.09.2011Vendor releases fix.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://atutor.ca/atutor/mantis/view.php?id=4804
[2]http://securityreason.com/wlb_show/WLB-2011080046
[3]http://packetstormsecurity.org/files/103760
[4]http://www.securityfocus.com/bid/49066
[5]http://secunia.com/advisories/45560
[6]http://xforce.iss.net/xforce/xfdb/69076
[7]http://osvdb.org/show/osvdb/74455
[8]http://osvdb.org/show/osvdb/74456
[9]http://osvdb.org/show/osvdb/74457
[10]http://osvdb.org/show/osvdb/74458
[11]http://osvdb.org/show/osvdb/74459
[12]http://osvdb.org/show/osvdb/74460
[13]http://osvdb.org/show/osvdb/74461
[14]http://osvdb.org/show/osvdb/74462
[15]http://osvdb.org/show/osvdb/74463
Changelog
06.08.2011Initial release
08.08.2011Added reference [3] and [4]
09.08.2011Added reference [5]
11.08.2011Added reference [6]
12.08.2011Added reference [7], [8], [9], [10], [11], [12], [13], [14] and [15]
23.09.2011Added vendor status