Headline
CVE-2023-27008: [CVE-2023-27008] ATutor 2.2.1 Cross-Site Scripting via the Token Body Parameter
A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
Introduction
While conducting a case study, I discovered a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1. Versions higher than 2.2.1 were also tested and I confirmed that they are not vulnerable to this attack.
Reflected Cross-Site Scripting (XSS)
The vulnerability exists in login.tmpl.php and login_functions.inc.php, and it can be exploited in login.php via a POST request. Login.php accepts a token parameter. The below is partial code in login_functions.inc.php.
if (isset($_POST['token']))
{
$_SESSION['token'] = $_POST['token'];
}
The code sets $_SESSION[‘token’] to the submitted value of the token parameter via a POST request. Next is partial code in login.tmpl.php.
function encrypt_password() {
document.form.form_password_hidden.value = hex_sha1(hex_sha1(document.form.form_password.value) + "<?php echo $_SESSION['token']; ?>");
document.form.form_password.value = "";
return true;
}
Within the function here, it plainly echoes out a string given to the token parameter.
Figure 1 – Submission of a POST request with the token parameter
Figure 2 – Response to Figure 1 with a reflected value
An input is reflected. It should be tested to check if there is any sanitization for special characters. The same request with a different token asdf’”!@#$%^&*)} was sent.
Figure 3 – Unsanitized reflected value
It can be confirmed that the input is not sanitized at all. With this knowledge, the following payload can be crafted and sent.
asdf");}alert(1);+function+asdf()+{//
Figure 4 – Response to the request with the payload
The payload successfully closes the function encrypt_password(), injects alert(1);, and deinfes a dummy function asdf() to close the trailing closing curly bracket. It also comments out the trailing part of the line starting with hex_sha1(document.
Figure 5 – Reflected XSS
It can be confirmed that the payload alert(1) successfully executed. This XSS is also possible through cross-site request forgery (CSRF).
Figure 6 – CSRF proof of concept code
Hosting and navigating to this file also resulted in the alert(1) function in the payload being executed.
Later Versions
The same attack is confirmed mitigated and not exploitable in later versions. I suspect when other similar attacks were reported to the developers when the web application was actively developed, the prevention mechanism put in place stopped reported attacks, including this seemingly new XSS, altogether.
Thoughts
Input sanitization is always an important part of web application development.
Log
- 2023-02-16 CVE request was submitted. The author of ATutor was not contacted since ATutor was no longer supported and maintained at the time of the writing.
- 2023-03-28 The vulnerability was assigned CVE-2023-27008 and published.
Post navigation