← Advisories

AChecker 1.2 Multiple Remote XSS/PD Vulnerabilities

Medium
Advisory ID
ZSL-2011-5035
Release Date
06 August 2011
Vendor
ATutor (Inclusive Design Institute) - http://www.atutor.ca
Affected Version
1.2 (build r530)
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

AChecker is an open source Web accessibility evaluation tool. It can be used to review the accessibility of Web pages based on a variety international accessibility guidelines.

Description

AChecker suffers from multiple cross-site scripting and path disclosure vulnerabilities. Input thru the GET parameters 'id', 'p' and 'myown_patch_id' in several scripts is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site and/or disclose the full path of application's residence ;].

/themes/default/language/language_add_edit.tmpl.php ---------------- 20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" > /documentation/frame_header.php ---------------- 17: if (isset($_GET['p'])) { 18: $this_page = htmlentities($_GET['p']); 19: } else { 20: exit; 21: } /themes/default/user/user_group_create_edit.tmpl.php ---------------- 20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" > /updater/patch_edit.php ---------------- 20: if (!isset($_REQUEST["myown_patch_id"])) 21: { 22: $msg->addError('NO_ITEM_SELECTED'); 23: exit; 24: } 25: 26: $myown_patch_id = $_REQUEST["myown_patch_id"]; /user/user_create_edit.php ---------------- 103: if (isset($_GET['id'])) // edit existing user 104: { 105: $usersDAO = new UsersDAO(); 106: $savant->assign('user_row', $usersDAO->getUserByID($_GET['id'])); 107: $savant->assign('show_password', false); 108: 109: }
Proof of Concept
achecker_xss.txtTXT
Disclosure Timeline
03.08.2011Submited vulnerability details to vendor's bug tracking system.
05.08.2011No reaction from vendor.
06.08.2011Public security advisory released.
15.11.2011Vendor releases fix.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://atutor.ca/atutor/mantis/view.php?id=4803
[2]http://securityreason.com/wlb_show/WLB-2011080043
[3]http://packetstormsecurity.org/files/103763
[4]http://secunia.com/advisories/45559/
[5]http://www.securityfocus.com/bid/49093
[6]http://osvdb.org/show/osvdb/74415
[7]http://osvdb.org/show/osvdb/74416
[8]http://osvdb.org/show/osvdb/74417
[9]http://osvdb.org/show/osvdb/74418
[10]http://osvdb.org/show/osvdb/74419
Changelog
06.08.2011Initial release
08.08.2011Added reference [3]
09.08.2011Added reference [4] and [5]
11.08.2011Added reference [6], [7], [8], [9] and [10]
15.11.2011Added vendor status