SRC-2017-0004 : AContent Directory Traversal Information Disclosure and Remote Code Execution Vulnerabilities
These vulnerabilities allows remote attackers to disclose information or execute arbitrary code on vulnerable installations of AContent. Authentication is required to exploit the remote code execution vulnerabilities, however account registration is open by default.
The tool_provider_outcome.php script allows a remote attacker to use a directory traversal in the url parameter to disclose information. The question_import.php, ims_import.php and import_test.php scripts allow a remote attacker to upload a specially crafted zip file containing directory traversals. An attacker could leverage this to execute arbitrary code under the context of the web server.
ATutor has issued two updates to correct these vulnerabilities. More details can be found at:
- 2016-12-10 – Verified and sold to Beyond Security
- 2017-05-16 – Coordinated public release of advisory
This vulnerability was discovered by Steven Seeley of Source Incite
Source Incite would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at https://blogs.securiteam.com/index.php/archives/3207.