SRC-2016-0001 : ATutor LMS install_modules CSRF Remote Code Execution Vulnerability
CVE ID:
CVSS Score:
9.3, (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Affected Vendors:
ATutor
Affected Products:
ATutor 2.2.1 is confirmed, other versions may also be affected.
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ATutor. User interaction is required to exploit this vulnerability in that a target administrator must visit a malicious page.
The specific flaw exists when sending data to the 'import_modules.php' page. An attacker can craft a JavaScript payload and deceive an Administrator into performing a malicious upload. This can result in remote code execution in the context of the web server.
Vendor Response:
ATutor has issued an update to correct this vulnerability. More details can be found at: https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac
Disclosure Timeline:
- 2016-02-23 – Vulnerability reported to vendor
- 2016-02-24 – CVE requested and assigned
- 2016-02-24 – Vendor confirmed issue
- 2016-03-05 – Vendor releases a patch
- 2016-03-06 – Coordinated public release of advisory
Proof of Concept:
https://github.com/sourceincite/poc/blob/master/SRC-2016-0001.zip
Credit:
This vulnerability was discovered by Steven Seeley of Source Incite