SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Acollab Vulnerabilities

    Please have a look at this vulnerabilities article: "www dot secunia dot com/advisories/35173/"
    it contains 3 Vulnerabilities in acollab system "www dot atutor dot ca/acollab/"
    can you help me with a fix for them??



    The Article:

    Description:
    Russ McRee has discovered some vulnerabilities in ACollab, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting and cross-site request forgery attacks.

    1) Input passed to the "f" parameter in sign_in.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    2) Input passed via e.g. the "address" parameter in profile.php or the "description" parameter in events/add_event.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session when the malicious data is viewed.

    3) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. add members or groups when a logged-in administrator visits a specially crafted web page.

    The vulnerabilities are confirmed in version 1.2. Other versions may also be affected.

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Hi thesecret, welcome to the forums.

    Normally I would recommend that you not hack core app files (although sanitation code should be easy enough to add), but wait for the author(s) to fix the vulnerability issues and then ugrade ASAP.

    But as
    Important: ACollab is being phased out, in favour of extending ATutor, which now includes group capabilities and most of the functionality previously found in ACollab. Users are encouraged to use ATutor, as support for ACollab will gradually disappear.
    Obviously, the best way to "fix" them, is to switch to ATutor.

  3. #3
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for fast reply
    I agree with you, they have stopped support for acollab
    the problem is that Atutor contains a lot of advanced features that I don't want
    I feel it's more complicated

    & I adore the simplicity of acollab
    so if I was able to fix these vulnerabilities, for sure I will user acollab
    can any body help in this?

  4. #4
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Head on over to the "Looking to Hire" section of SitePoint.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •