SRC-2017-0004 : AContent Directory Traversal Information Disclosure and Remote Code Execution Vulnerabilities

CVE ID:

N/A

CVSS Score:

9, (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Affected Vendors:

ATutor

Affected Products:

AContent

Vulnerability Details:

These vulnerabilities allows remote attackers to disclose information or execute arbitrary code on vulnerable installations of AContent. Authentication is required to exploit the remote code execution vulnerabilities, however account registration is open by default.

The tool_provider_outcome.php script allows a remote attacker to use a directory traversal in the url parameter to disclose information. The question_import.php, ims_import.php and import_test.php scripts allow a remote attacker to upload a specially crafted zip file containing directory traversals. An attacker could leverage this to execute arbitrary code under the context of the web server.

Vendor Response:

ATutor has issued two updates to correct these vulnerabilities. More details can be found at:

Disclosure Timeline:

  • 2016-12-10 – Verified and sold to Beyond Security
  • 2017-05-16 – Coordinated public release of advisory

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite

Acknowledgments:

Source Incite would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at https://blogs.securiteam.com/index.php/archives/3207.