SRC-2016-0016 : ATutor LMS password_reminder ‘UPDATE’ Type Juggling Authentication Bypass Vulnerability



CVSS Score:

7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Vendors:


Affected Products:

ATutor 2.2.1 is confirmed, other versions may also be affected.

Vulnerability Details:

This vulnerability allows remote attackers to bypass the authentication mechanism on vulnerable installations of ATutor.

The specific flaw exists in the ‘password_reminder.php’ script when performing an password reset. The code uses a loose comparison when comparing the supplied ‘h’ variable with an influenced string value. An attacker can combine this with other vulnerabilities to achieve remote code execution.

Vendor Response:

ATutor has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline:

  • 2016-02-24 – Vulnerability reported to vendor
  • 2016-02-24 – CVE requested and rejected
  • 2016-02-25 – Vendor confirmed issue
  • 2016-03-07 – Vendor releases a patch
  • 2016-03-08 – Coordinated public release of advisory


This vulnerability was discovered by Steven Seeley of Source Incite