SRC-2016-0016 : ATutor LMS password_reminder ‘UPDATE’ Type Juggling Authentication Bypass Vulnerability

CVE ID:

N/A

CVSS Score:

7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Vendors:

ATutor

Affected Products:

ATutor 2.2.1 is confirmed, other versions may also be affected.

Vulnerability Details:

This vulnerability allows remote attackers to bypass the authentication mechanism on vulnerable installations of ATutor.

The specific flaw exists in the ‘password_reminder.php’ script when performing an password reset. The code uses a loose comparison when comparing the supplied ‘h’ variable with an influenced string value. An attacker can combine this with other vulnerabilities to achieve remote code execution.

Vendor Response:

ATutor has issued an update to correct this vulnerability. More details can be found at: https://github.com/atutor/ATutor/commit/8b23adc5ba065b65105aa8c1f491ab57769f2421

Disclosure Timeline:

  • 2016-02-24 – Vulnerability reported to vendor
  • 2016-02-24 – CVE requested and rejected
  • 2016-02-25 – Vendor confirmed issue
  • 2016-03-07 – Vendor releases a patch
  • 2016-03-08 – Coordinated public release of advisory

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite