<<< Date Index >>>     <<< Thread Index >>>

Vulnerabilities in TUTOS




--------------------------------------------------------------------------- 
              Multiple Vulnerabilities in TUTOS 
--------------------------------------------------------------------------- 
 
Author: Jose Antonio Coret (Joxean Koret) 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
TUTOS 1.1 (2004-04-14) and prior versions 
 
TUTOS is a tool to manage the the 
organizational needs of small groups, teams, 
departments ... To do this it provides some 
web-based tools. 
 
Web : http://www.tutos.org 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. SQL Injection. 
 
        You can insert sql commands in 
the /file/file_overview.php by inserting 
it in the link_id parameter.  
 
To try this :  
 
http://<site-with-tutos>/file/file_overview.php?link_id=1005'asdf 
 
B. Cross Site Scripting 
 
B1. In the address book the search field is 
vulnerable to XSS. You can 
try it by simply :  
 
        1.- Logging into TUTOS 
        2.- Click on the Address Module 
        3.- In the search field insert the following 
data :  
 
        ">&lt;script&gt;alert(document.cookie)&lt;/script&gt; 
 
        4.- You will see your cookie 
 
 
B2. In the app_new.php script there is also an 
other xss vulnerability. 
Try the following URL :  
 
        
http://<site-with-tutos>/app_new.php?t=200408240&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 
 
The fix: 
~~~~~~~~ 
 
The author has fixed all the problems. As a new 
relase wil be available soon 
this release will have all the fixes included. 
(Currently on the way to CVS). 
 
Disclaimer: 
~~~~~~~~~~~ 
 
The information in this advisory and any of its 
demonstrations is provided 
"as is" without any warranty of any kind. 
 
I am not liable for any direct or indirect damages 
caused as a result of 
using the information or demonstrations 
provided in any part of this 
advisory.  
 
--------------------------------------------------------------------------- 
 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es