Atutor 2.2.1 Remote Code Execution Vulnerability

Summary

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a “..” pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

Credit:

The information has been provided by Joseph McPeters 

The original article can be found at: https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit


Details

Atutor is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition.

Vulnerable Systems:

  • Atutor 2.2.1
  • Atutor 2.2.2
  • Atutor 2.2.4

CVE Information:

CVE-2019-12169

Disclosure Timeline:
Publish Date:06/03/2019

Categories: News