Introduction
While conducting a case study, I discovered a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1. Versions higher than 2.2.1 were also tested and I confirmed that they are not vulnerable to this attack.
Reflected Cross-Site Scripting (XSS)
The vulnerability exists in login.tmpl.php and login_functions.inc.php, and it can be exploited in login.php via a POST request. Login.php accepts a token parameter. The below is partial code in login_functions.inc.php.
if (isset($_POST['token']))
{
$_SESSION['token'] = $_POST['token'];
}
The code sets $_SESSION[‘token’] to the submitted value of the token parameter via a POST request. Next is partial code in login.tmpl.php.
function encrypt_password() {
document.form.form_password_hidden.value = hex_sha1(hex_sha1(document.form.form_password.value) + "<?php echo $_SESSION['token']; ?>");
document.form.form_password.value = "";
return true;
}
Within the function here, it plainly echoes out a string given to the token parameter.


An input is reflected. It should be tested to check if there is any sanitization for special characters. The same request with a different token asdf'”!@#$%^&*)} was sent.

It can be confirmed that the input is not sanitized at all. With this knowledge, the following payload can be crafted and sent.
asdf");}alert(1);+function+asdf()+{//

The payload successfully closes the function encrypt_password(), injects alert(1);, and deinfes a dummy function asdf() to close the trailing closing curly bracket. It also comments out the trailing part of the line starting with hex_sha1(document.

It can be confirmed that the payload alert(1) successfully executed. This XSS is also possible through cross-site request forgery (CSRF).

Hosting and navigating to this file also resulted in the alert(1) function in the payload being executed.
Later Versions
The same attack is confirmed mitigated and not exploitable in later versions. I suspect when other similar attacks were reported to the developers when the web application was actively developed, the prevention mechanism put in place stopped reported attacks, including this seemingly new XSS, altogether.
Thoughts
Input sanitization is always an important part of web application development.
Log
- 2023-02-16 CVE request was submitted. The author of ATutor was not contacted since ATutor was no longer supported and maintained at the time of the writing.
- 2023-03-28 The vulnerability was assigned CVE-2023-27008 and published.
Hi, Good job! Have you also tested previous version?
LikeLike
Hello!
I have not tested older versions.
LikeLike