ATutor <= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability

• Software Link:

http://www.atutor.ca/

• Affected Versions:

Version 2.2 and prior versions.

• Vulnerability Description:

The vulnerable code is located in the /popuphelp.php script:

	if ($_GET['h']) {
		$h = $_GET['h'];
		
		if (is_string($_GET['h'])) { // just a AT_HELP code with no prefix
			$msg->printHelps($h);

User input passed through the “h” GET parameter is not properly sanitized before being passed to the “Message::printHelps()” method at line 30. This can be exploited to carry out reflected Cross-Site Scripting (XSS) attacks.

• Solution:

No official solution is currently available.

• Disclosure Timeline:

[06/10/2014] – Vendor notified
[09/10/2014] – Vendor response stating this issue has been added to the bug tracker and it is relatively minor
[11/11/2014] – Vendor replied asking for fix suggestions
[11/11/2014] – Fix suggestions have been provided to the vendor
[30/09/2015] – CVE number requested
[05/10/2015] – CVE number assigned
[06/10/2015] – After one year still no official solution available
[04/11/2015] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-7711 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.