Info

Disclosure

Jul 08, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

ATutor contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'fid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database. Note: the vendor disputes the validity of this flaw

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Rumored / Private
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

ATRC

ATutor

1.5.3

References

Bugtraq ID: 18898
Related OSVDB ID: 28186 28187
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0096.html
http://archives.neohapsis.com/archives/bugtraq/2006-07/0153.html
http://archives.neohapsis.com/archives/bugtraq/2006-07/0375.html
http://www.securityfocus.com/archive/1/archive/1/439873/100/100/threaded
CVE ID: 2006-3662 (see also: NVD)
Vendor URL: http://www.atutor.ca

Credit

Ellipsis Security - securityconnectiongmail.com - Ellipsis Security

Direct URL: http://osvdb.org/36218