AChecker 1.2 Multiple Remote XSS/PD Vulnerabilities

Title: AChecker 1.2 Multiple Remote XSS/PD Vulnerabilities
Advisory ID: ZSL-2011-5035
Type: Remote
Impact: Exposure of System Information, Cross-Site Scripting
Risk: (3/5)
Release Date: 06.08.2011
Summary
AChecker is an open source Web accessibility evaluation tool. It can be used to review the accessibility of Web pages based on a variety international accessibility guidelines.
Description
AChecker suffers from multiple cross-site scripting and path disclosure vulnerabilities. Input thru the GET parameters 'id', 'p' and 'myown_patch_id' in several scripts is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site and/or disclose the full path of application's residence ;].

--------------------------------------------------------------------------------

/themes/default/language/language_add_edit.tmpl.php
----------------
20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >

/documentation/frame_header.php
----------------
17: if (isset($_GET['p'])) {
18: $this_page = htmlentities($_GET['p']);
19: } else {
20: exit;
21: }

/themes/default/user/user_group_create_edit.tmpl.php
----------------
20: <form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >

/updater/patch_edit.php
----------------
20: if (!isset($_REQUEST["myown_patch_id"]))
21: {
22: $msg->addError('NO_ITEM_SELECTED');
23: exit;
24: }
25:
26: $myown_patch_id = $_REQUEST["myown_patch_id"];

/user/user_create_edit.php
----------------
103: if (isset($_GET['id'])) // edit existing user
104: {
105: $usersDAO = new UsersDAO();
106: $savant->assign('user_row', $usersDAO->getUserByID($_GET['id']));
107: $savant->assign('show_password', false);
108:
109: }

--------------------------------------------------------------------------------

Vendor
ATutor (Inclusive Design Institute) - http://www.atutor.ca
Affected Version
1.2 (build r530)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[03.08.2011] Submited vulnerability details to vendor's bug tracking system.
[05.08.2011] No reaction from vendor.
[06.08.2011] Public security advisory released.
[15.11.2011] Vendor releases fix.
PoC
achecker_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://atutor.ca/atutor/mantis/view.php?id=4803
[2] http://securityreason.com/wlb_show/WLB-2011080043
[3] http://packetstormsecurity.org/files/103763
[4] http://secunia.com/advisories/45559/
[5] http://www.securityfocus.com/bid/49093
[6] http://osvdb.org/show/osvdb/74415
[7] http://osvdb.org/show/osvdb/74416
[8] http://osvdb.org/show/osvdb/74417
[9] http://osvdb.org/show/osvdb/74418
[10] http://osvdb.org/show/osvdb/74419
Changelog
[06.08.2011] - Initial release
[08.08.2011] - Added reference [3]
[09.08.2011] - Added reference [4] and [5]
[11.08.2011] - Added reference [6], [7], [8], [9] and [10]
[15.11.2011] - Added vendor status
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk