← Advisories

ATutor 2.0.2 (lang) HTTP Response Splitting Vulnerability

Medium

Advisory ID

ZSL-2011-5037

Release Date

06 August 2011

Vendor

ATutor (Inclusive Design Institute) - http://www.atutor.ca

Affected Version

2.0.2 (build r10589)

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

ATutor is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. Educators can quickly assemble, package, and redistribute Web-based instructional content, easily retrieve and import prepackaged content, and conduct their courses online.

Description

Input passed to the 'lang' parameter in '/documentation/index_list.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

/documentation/index_list.php
----------------
1: <?php
2: header('Location: index/index.php?'.$_GET['lang']);
3: exit;
4: ?>

Proof of Concept

atutor_httprs.txtTXT

Disclosure Timeline

03.08.2011Submited vulnerability details to vendor's bug tracking system.

05.08.2011No reaction from vendor.

06.08.2011Public security advisory released.

11.08.2011Vendor releases fix.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://atutor.ca/atutor/mantis/view.php?id=4805

[2]http://securityreason.com/wlb_show/WLB-2011080041

[3]http://www.exploit-db.com/exploits/17631/

[4]http://packetstormsecurity.org/files/103765

[5]http://www.securityfocus.com/bid/49057

Changelog

06.08.2011Initial release

08.08.2011Added reference [4] and [5]

11.08.2011Added vendor status.