SRC-2016-0012 : ATutor LMS confirm ‘UPDATE’ Type Juggling Authentication Bypass Vulnerability

CVE ID:

N/A

CVSS Score:

7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Vendors:

ATutor

Affected Products:

ATutor 2.2.1 is confirmed, other versions may also be affected.

Vulnerability Details:

This vulnerability allows remote attackers to bypass the authentication mechanism on vulnerable installations of ATutor.

The specific flaw exists in the ‘confirm.php’ script when updating a members email address. The code uses a loose comparison when comparing the supplied ‘m’ variable with an influenced string value. An attacker can update a members email address and reset the password. Finally, an attacker can combine this with another vulnerability to achieve remote code execution.

Vendor Response:

ATutor has issued an update to correct this vulnerability. More details can be found at: https://github.com/atutor/ATutor/commit/2eed42a74454355eddc7fc119e67af40dba1a94c

Disclosure Timeline:

  • 2016-02-24 – Vulnerability reported to vendor
  • 2016-02-24 – CVE requested and rejected
  • 2016-02-25 – Vendor confirmed issue
  • 2016-03-07 – Vendor releases a patch
  • 2016-03-08 – Coordinated public release of advisory

Proof of Concept:

https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite