Atutor Multiple Vulnerabilities

Published: 2011-09-22 08:24:03

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact:
Successful exploitation will let attackers to execute arbitrary script code or to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Affected Versions:
ATutor version 2.0.2

Technical Details:
Multiple flaws are due to an, - Input passed to the 'lang' parameter in '/documentation/index_list.php' is not properly sanitised before being returned to the user. - Input passed to the 'p_course', 'name' and 'value' parameters in '/mods/_standard/social/set_prefs.php' scripts is not properly sanitised before being used in SQL queries. - Input passed via the 'search_friends_HASH' POST parameter, where HASH is the value generated by the 'rand_key' parameter, to the '/mods/_standard/social/index_public.php' script is not properly sanitised before being returned to the user.

Recommendations:
Upgrade to ATutor version 2.0.3 or later.

Summary:
This host is running Atutor and is prone to information disclosure, SQL injection, and cross site scripting vulnerabilities.

Solution Type:
Vendor Patch

Detection Type:
remote_analysis

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/49057

References:

http://www.exploit-db.com/exploits/17631/
http://securityreason.com/wlb_show/WLB-2011080041
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5037.php
http://packetstormsecurity.org/files/view/103765/ZSL-2011-5037.txt

Search
Severity
Medium
CVSS Score
5.0

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.