Info

Disclosure

Jun 16, 2005

Discovery

Jun 10, 2005

Dates

Exploit

Jun 16, 2005

Solution

Unknown

Description

Atutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'roles', 'status', 'submit' and 'reset_filter' variables upon submission to the directory.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
OSVDB: Web Related

Solution

Unknown or Incomplete

Products

ATutor	ATutor	1.4.3
		1.5 RC1

References

Bugtraq ID: 13972
Related OSVDB ID: 17351 17352 17353 17354 17355 17356 17357 17358
Other Advisory URL: http://lostmon.blogspot.com/2005/06/atutor-multiple-variable-cross-site.html
Secunia Advisory ID: 15705
CVE ID: 2005-2044 (see also: NVD)
Security Tracker: 1014216
Vendor URL: http://www.atutor.ca/atutor/download.php

Credit

Lostmon Lords - Lostmongmail.com -

Direct URL: http://osvdb.org/36218