[FD] Atutor 2.2: XSS

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Atutor 2.2 Fixed in: partly in ATutor 2.2.1-RC1, complete in 2.2.1 Fixed Version Link: http://ift.tt/PfH9i9 Vendor Website: http://www.atutor.ca/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 02/01/2016 Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Atutor is a learning management system (LMS) written in PHP. In version 2.2, it is vulnerable to multiple reflected and persistent XSS attacks. The vulnerabilities can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a successful exploitation can lead to code execution via the theme uploader, and if the victim is an instructor, this can lead to code execution via a file upload vulnerability in the same version of Atutor. 3. Details XSS 1: Reflected XSS - Calendar CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The calendar_next parameter of the calendar is vulnerable to XSS. This issue has been fixed in ATutor 2.2.1-RC1. Proof of Concept: http://localhost/ATutor/mods/_standard/calendar/getlanguage.php?token=calendar_next