Vulnerabilities in TUTOS Sep 18 2004 08:46PM
Joxean Koret (joxeankoret yahoo es)


Multiple Vulnerabilities in TUTOS


Author: Jose Antonio Coret (Joxean Koret)

Date: 2004

Location: Basque Country


Affected software description:


TUTOS 1.1 (2004-04-14) and prior versions

TUTOS is a tool to manage the the

organizational needs of small groups, teams,

departments ... To do this it provides some

web-based tools.

Web : http://www.tutos.org




A. SQL Injection.

You can insert sql commands in

the /file/file_overview.php by inserting

it in the link_id parameter.

To try this :


B. Cross Site Scripting

B1. In the address book the search field is

vulnerable to XSS. You can

try it by simply :

1.- Logging into TUTOS

2.- Click on the Address Module

3.- In the search field insert the following

data :


4.- You will see your cookie

B2. In the app_new.php script there is also an

other xss vulnerability.

Try the following URL :


The fix:


The author has fixed all the problems. As a new

relase wil be available soon

this release will have all the fixes included.

(Currently on the way to CVS).



The information in this advisory and any of its

demonstrations is provided

"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages

caused as a result of

using the information or demonstrations

provided in any part of this





Joxean Koret at


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus