Info

Disclosure

Aug 06, 2011

Discovery

Aug 01, 2011

Dates

Exploit

Aug 06, 2011

Solution

Nov 15, 2011

Description

AChecker contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'p' parameter upon submission to the documentation/frame_header.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. Additionally, the program may disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

The original researcher has reported that a fix was released on 2011-11-15, but no details were provided.

Products

ATutor

AChecker

1.2

References

Related OSVDB ID: 1159463 1159464 74413 74414 74415 74416 74417
Secunia Advisory ID: 45559
Bugtraq ID: 49093
Packet Storm: http://packetstormsecurity.org/files/103763
Other Advisory URL: http://securityreason.com/wlb_show/WLB-2011080043
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5035.php

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/74417