SRC-2017-0004 : AContent Directory Traversal Information Disclosure and Remote Code Execution Vulnerabilities



CVSS Score:

9, (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Affected Vendors:


Affected Products:


Vulnerability Details:

These vulnerabilities allow remote attackers to disclose information or execute arbitrary code on vulnerable installations of AContent. Authentication is required to exploit the remote code execution vulnerabilities, however account registration is open by default.

The tool_provider_outcome.php script allows a remote attacker to use a directory traversal in the url parameter to disclose information. The question_import.php, ims_import.php and import_test.php scripts allow a remote attacker to upload a specially crafted zip file containing directory traversals. An attacker could leverage this to execute arbitrary code under the context of the web server.

Vendor Response:

ATutor has issued two updates to correct these vulnerabilities. More details can be found at:

Disclosure Timeline:

  • 2016-12-10 – Verified and acquired by Beyond Security
  • 2017-05-16 – Coordinated public release of advisory


This vulnerability was discovered by Steven Seeley of Source Incite


Source Incite would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at