[VIM] ATutor 1.5.3 Cross Site Scripting

Steven M. Christey coley at mitre.org
Fri Jul 21 18:07:26 EDT 2006

Sent the following to the atutor vendor and CC'd Bugtraq.  Did some
diff digging between the original and patched versions.

Also, the diffs suggest a lot of SQL injection related fixes, and some
of the originally mentioned XSS might be resultant from SQL injection.
Don't have enough time to dig deeper though, sorry...

- Steve


>The mentioned SQL injection vulnerability is not possible. Please
>remove it.

Could you explain this further?

In 1.5.3, edit_forum() in forums.inc.php has the following:

	$sql	= "UPDATE ".TABLE_PREFIX."forums SET title='$_POST[title]', description='$_POST[body]' WHERE forum_id=$_POST[fid]";
	$result = mysql_query($sql,$db);

where is appears that $_POST[fid] is directly inserted into the SQL

In, a new statement has been added to the same function, just
before the two statements above:

	$_POST['fid']    = intval($_POST['fid']);

This looks like cleansing that would be relevant for SQL injection.

For those who were wondering, both $_POST['title'] and $_POST['body']
are re-set using addslashes:

  $_POST['title']  = $addslashes($_POST['title']);
  $_POST['body']   = $addslashes($_POST['body']);

- Steve

More information about the VIM mailing list