OSVDB ID: 28187

Title: ATutor index_list.php lang Parameter XSS

Info

Disclosure

Jul 08, 2006

Discovery

Unknown

Dates

Exploit

Jul 08, 2006

Solution

Unknown

Description

ATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'lang' variable upon submission to the index_list.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Upgrade to version 1.5.3_pl1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

ATRC

ATutor

1.5.3

References

Credit

  • Ellipsis Security - securityconnectiongmail.com - Ellipsis Security


Direct URL: http://osvdb.org/28187