MidnightBSD

Advisories for adaptive_technology_resource_centre

CVE-2005-2044 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter to inbox/send_message.php, the (5) search, (6) words, (7) include, (8) find_in, (9) display_as, or (10) search parameter to search.php, the (11) submit, (12) query, or (13) field parameter to tile.php, the (14) us parameter to forum/subscribe_forum.php, or the (15) roles[], (16) status, (17) submit, or (18) reset_filter parameters to directory.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.4.3
adaptive_technology_resource_centre atutor 1.5_rc_1
CVE-2005-2649 MEDIUM

Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote attackers to inject arbitrary web script or HTML via (1) course parameter in login.php or (2) words parameter in search.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.5.1
CVE-2005-2954 HIGH

SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.5.1
CVE-2005-2955 MEDIUM

config.inc.php in ATutor 1.5.1, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which allows authenticated administrators or educators to execute arbitrary code by uploading files with other executable extensions such as .inc, .php4, or others.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.5.1
CVE-2005-2956 MEDIUM

ATutor 1.5.1, and possibly earlier versions, stores temporary chat logs under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain user chat conversations via direct requests to those files.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.5.1
CVE-2005-3403 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.1 through 1.5.1-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the _base_href parameter in translate.php, (2) the _base_path parameter in news.inc.php, and (3) the p parameter in add_note.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.4.1
adaptive_technology_resource_centre atutor 1.5.1_pl1
adaptive_technology_resource_centre atutor 1.4.3
adaptive_technology_resource_centre atutor 1.4.2
adaptive_technology_resource_centre atutor 1.5.1
CVE-2005-3404 HIGH

Multiple PHP file inclusion vulnerabilities in ATutor 1.4.1 through 1.5.1-pl1 allow remote attackers to include arbitrary files via the section parameter followed by a null byte (%00) in (1) body_header.inc.php and (2) print.php.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.4.1
adaptive_technology_resource_centre atutor 1.5.1_pl1
adaptive_technology_resource_centre atutor 1.4.3
adaptive_technology_resource_centre atutor 1.4.2
adaptive_technology_resource_centre atutor 1.5.1
CVE-2005-4155 HIGH

registration.PHP in ATutor 1.5.1 pl2 allows remote attackers to execute arbitrary SQL commands via an e-mail address that ends in a NULL character, which bypasses the PHP regular expression check. NOTE: it is possible that this is actually a bug in PHP code, in which case this should not be treated as a vulnerability in ATutor.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.5.1_pl2
CVE-2006-3484 LOW

Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) show_courses or (2) current_cat parameters to (a) admin/create_course.php, show_courses parameter to (b) users/create_course.php, (3) p parameter to (c) documentation/admin/, (4) forgot parameter to (d) password_reminder.php, (5) cat parameter to (e) users/browse.php, or the (6) submit parameter to admin/fix_content.php.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.5.1_pl2
adaptive_technology_resource_centre atutor 1.5.1_pl1
adaptive_technology_resource_centre atutor 1.5.3_rc2
adaptive_technology_resource_centre atutor 1.5.1
CVE-2006-3662 HIGH

SQL injection vulnerability in index.php in ATutor 1.5.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter. NOTE: this issue has been disputed by the vendor, who states "The mentioned SQL injection vulnerability is not possible." However, the relevant source code suggests that this issue may be legitimate, and the parameter is cleansed in 1.5.3.1

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.5.3
CVE-2006-3821 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) lang parameter in (a) index_list.php and (2) year, (3) month, and (4) day parameter in (b) registration.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
adaptive_technology_resource_centre atutor 1.4.1
adaptive_technology_resource_centre atutor 1.5.3
adaptive_technology_resource_centre atutor 1.5.1_pl2
adaptive_technology_resource_centre atutor 1.5.1_pl1
adaptive_technology_resource_centre atutor 1.4.3
adaptive_technology_resource_centre atutor 1.4.2
adaptive_technology_resource_centre atutor 1.5.1
adaptive_technology_resource_centre atutor 1.5_rc_1