← Advisories

AContent 1.1 (category_name) Remote Script Insertion Vulnerability

Medium
Advisory ID
ZSL-2011-5033
Release Date
06 August 2011
Vendor
ATutor (Inclusive Design Institute) - http://www.atutor.ca
Affected Version
1.1 (build r296)
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content. It can be used along with learning management systems to develop, share, and archive learning materials.

Description

AContent suffers from a stored cross-site scripting vulnerability. Input thru the POST parameter 'category_name' in '/course_category/index.php' is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site. Auth needed for script insertion.

Proof of Concept
acontent_storedxss.txtTXT
Disclosure Timeline
03.08.2011Submited vulnerability details to vendor's bug tracking system.
05.08.2011No reaction from vendor.
06.08.2011Public security advisory released.
23.09.2011Vendor releases fix.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://atutor.ca/atutor/mantis/view.php?id=4804
[2]http://securityreason.com/wlb_show/WLB-2011080045
[3]http://www.exploit-db.com/exploits/17629/
[4]http://packetstormsecurity.org/files/103761
[5]http://www.securityfocus.com/bid/49066
[6]http://secunia.com/advisories/45560
[7]http://xforce.iss.net/xforce/xfdb/69076
[8]http://osvdb.org/show/osvdb/74454
Changelog
06.08.2011Initial release
08.08.2011Added reference [4] and [5]
09.08.2011Added reference [6]
11.08.2011Added reference [7]
12.08.2011Added reference [8]
23.09.2011Added vendor status