Vulnerabilities > CVE-2005-2649 - Unspecified vulnerability in Adaptive Technology Resource Centre Atutor 1.5.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
adaptive-technology-resource-centre
nessus
exploit available

Summary

Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote attackers to inject arbitrary web script or HTML via (1) course parameter in login.php or (2) words parameter in search.php.

Vulnerable Configurations

Part Description Count
Application
Adaptive_Technology_Resource_Centre
1

Exploit-Db

descriptionATutor 1.5.1 login.php course Parameter XSS. CVE-2005-2649. Webapps exploit for php platform
idEDB-ID:26170
last seen2016-02-03
modified2005-08-18
published2005-08-18
reportermatrix_killer
sourcehttps://www.exploit-db.com/download/26170/
titleATutor 1.5.1 login.php course Parameter XSS

Nessus

NASL familyCGI abuses : XSS
NASL idATUTOR_XSS.NASL
descriptionThe remote host is running ATutor, a CMS written in PHP. The remote version of this software is prone to cross-site scripting attacks due to its failure to sanitize user-supplied input.
last seen2020-06-01
modified2020-06-02
plugin id19587
published2005-09-06
reporterCopyright (C) 2005-2018 Josh Zlatin-Amishav
sourcehttps://www.tenable.com/plugins/nessus/19587
titleATutor 1.5.1 Multiple Script XSS
code
#
# This script was written by Josh Zlatin-Amishav <josh at ramat doti cc>
#
# This script is released under the GNU GPLv2

# Changes by Tenable:
# - Revised plugin title (4/28/09)


include("compat.inc");

if(description)
{
 script_id(19587);
 script_version ("1.22");
 script_cve_id("CVE-2005-2649");
 script_bugtraq_id(14598);

 script_name(english:"ATutor 1.5.1 Multiple Script XSS");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is vulnerable to a
cross-site scripting issue." );
 script_set_attribute(attribute:"description", value:
"The remote host is running ATutor, a CMS written in PHP. 

The remote version of this software is prone to cross-site scripting 
attacks due to its failure to sanitize user-supplied input." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Aug/259" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Aug/598" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/18");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adaptive_technology_resource_centre:atutorv");
script_end_attributes();


 script_summary(english:"Checks for XSS in login.php");
 script_category(ACT_ATTACK);
 script_family(english:"CGI abuses : XSS");
 script_copyright(english:"Copyright (C) 2005-2020 Josh Zlatin-Amishav");
 script_dependencies("http_version.nasl", "cross_site_scripting.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("global_settings.inc");
include("url_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);
if(!can_host_php(port:port)) exit(0);
if ( get_kb_item("www/"+port+"/generic_xss") ) exit(0);

# A simple alert.
xss = "<script>alert(" + SCRIPT_NAME + ")</script>";
# nb: the url-encoded version is what we need to pass in.
exss = urlencode(str:xss);

foreach dir ( cgi_dirs() )
{
 req = http_get(
   item:string(
     dir, "/login.php?",
     'course=">', exss
   ), 
   port:port
 );
 res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);

debug_print("res [", res, "].");

 if (
   egrep(string:res, pattern:"Web site engine's code is copyright .+ href=.http://www\.atutor\.ca") &&
   xss >< res
 )
 {
        	security_warning(port);
		set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
        	exit(0);
 }
}