|
Description
|
|
A vulnerability has been discovered in AContent, which can be exploited by malicious people to disclose certain sensitive information.
Input passed via the "url" POST parameter to oauth/lti/common/tool_provider_outcome.php is not properly sanitised before being used to read files. This can be exploited to disclose contents of arbitrary files on the server.
The vulnerability is confirmed in version 1.3. Other versions may also be affected.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
AContent 1.x
|
|
|
|
|
|
Solution
|
|
Apply patch 1_3-1.
http://update.atutor.ca/acontent/patch/1_3/1_3-1/patch.xml
|
|
|
|
|
|
CVE
|
|
|
|
|
|
|
|
References
|
|
DaOne:
http://packetstormsecurity.com/files/120921/AContent-1.3-Local-File-Inclusion.html
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
