Design a site like this with WordPress.com
Get started

[CVE-2023-27008] ATutor 2.2.1 Cross-Site Scripting via the Token Body Parameter

Introduction

While conducting a case study, I discovered a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1. Versions higher than 2.2.1 were also tested and I confirmed that they are not vulnerable to this attack.

Reflected Cross-Site Scripting (XSS)

The vulnerability exists in login.tmpl.php and login_functions.inc.php, and it can be exploited in login.php via a POST request. Login.php accepts a token parameter. The below is partial code in login_functions.inc.php.

if (isset($_POST['token']))
{
    $_SESSION['token'] = $_POST['token'];
}

The code sets $_SESSION[‘token’] to the submitted value of the token parameter via a POST request. Next is partial code in login.tmpl.php.

function encrypt_password() {
        document.form.form_password_hidden.value = hex_sha1(hex_sha1(document.form.form_password.value) + "<?php echo $_SESSION['token']; ?>");
        document.form.form_password.value = "";
        return true;
}

Within the function here, it plainly echoes out a string given to the token parameter.

Figure 1 – Submission of a POST request with the token parameter
Figure 2 – Response to Figure 1 with a reflected value

An input is reflected. It should be tested to check if there is any sanitization for special characters. The same request with a different token asdf'”!@#$%^&*)} was sent.

Figure 3 – Unsanitized reflected value

It can be confirmed that the input is not sanitized at all. With this knowledge, the following payload can be crafted and sent.

asdf");}alert(1);+function+asdf()+{//
Figure 4 – Response to the request with the payload

The payload successfully closes the function encrypt_password(), injects alert(1);, and deinfes a dummy function asdf() to close the trailing closing curly bracket. It also comments out the trailing part of the line starting with hex_sha1(document.

Figure 5 – Reflected XSS

It can be confirmed that the payload alert(1) successfully executed. This XSS is also possible through cross-site request forgery (CSRF).

Figure 6 – CSRF proof of concept code

Hosting and navigating to this file also resulted in the alert(1) function in the payload being executed.

Later Versions

The same attack is confirmed mitigated and not exploitable in later versions. I suspect when other similar attacks were reported to the developers when the web application was actively developed, the prevention mechanism put in place stopped reported attacks, including this seemingly new XSS, altogether.

Thoughts

Input sanitization is always an important part of web application development.

Log

  • 2023-02-16 CVE request was submitted. The author of ATutor was not contacted since ATutor was no longer supported and maintained at the time of the writing.
  • 2023-03-28 The vulnerability was assigned CVE-2023-27008 and published.
Advertisement
Privacy Settings

Published by Plant Plants

Hello, this is Plant Plants.

2 thoughts on “[CVE-2023-27008] ATutor 2.2.1 Cross-Site Scripting via the Token Body Parameter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: