SRC-2016-0001 : ATutor LMS install_modules CSRF Remote Code Execution Vulnerability

CVE ID:

CVE-2016-2539

CVSS Score:

9.3, (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected Vendors:

ATutor

Affected Products:

ATutor 2.2.1 is confirmed, other versions may also be affected.

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ATutor. User interaction is required to exploit this vulnerability in that a target administrator must visit a malicious page.

The specific flaw exists when sending data to the ‘import_modules.php’ page. An attacker can craft a JavaScript payload and deceive an Administrator into performing a malicious upload. This can result in remote code execution in the context of the web server.

Vendor Response:

ATutor has issued an update to correct this vulnerability. More details can be found at: https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac

Disclosure Timeline:

  • 2016-02-23 – Vulnerability reported to vendor
  • 2016-02-24 – CVE requested and assigned
  • 2016-02-24 – Vendor confirmed issue
  • 2016-03-05 – Vendor releases a patch
  • 2016-03-06 – Coordinated public release of advisory

Proof of Concept:

https://github.com/sourceincite/poc/blob/master/SRC-2016-0001.zip

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite