Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Overview of ATutor

ATutor is an Open Source Web-based Learning Management System (LMS) used to develop and deliver online courses.

https://atutor.github.io/atutor/index.html

Affected version: =< 2.2.4

The vulnerability

The application has weak access controls on the /ATutor/install/include/step5.php which is part of the installation scripts that is responsible for setting the database connection info and the content directory.

	if ($_POST['step1']['db_login']) {
		$db_login = $_POST['step1']['db_login'];
		$db_pwd = $_POST['step1']['db_password'];
		$db_host = $_POST['step1']['db_host'];
		$db_port = $_POST['step1']['db_port'];
		$db_name = $_POST['step1']['db_name'];
		$tb_prefix = $_POST['step1']['tb_prefix'];
		$content_dir = $_POST['step1']['content_dir'];
		$smtp = $_POST['step1']['smtp'];
    .................................
    .................................	
	if (!write_config_file('../include/config.inc.php', 
	         $db_login,
	         $db_pwd,
	         $db_host,
	         $db_port,
	         $db_name,
	         $tb_prefix,
	         $comments,
	         $content_dir,
	         $smtp,
	         $get_file
	)) 

the reason behind the weak access control is insufficent access control IF statment in the file /ATutor/install/include/header.php that only restrict the access to the first 3 steps of the installation process.

if ($step < 4) {
	error_reporting(0);
	include('../include/config.inc.php');
	error_reporting(E_ALL ^ E_NOTICE);
	if (defined('AT_INSTALL')) {
		include_once(AT_INSTALLER_INCLUDE_PATH.'common.inc.php');
		echo print_meta_redirect();
		exit;
	}
}

Impact

An unauthenticated attacker can send crafted request to trigger the vulnerable function and change the database connection details that the application use (db_host, db_port, db_login, db_password) and force the application to use his own database which he has prepared. Now the attacker will be able to login to the application with an account from his fake database, then he will change the value of content_dir which is used by the application to store the uploaded files to the web application root directory. He can then upload PHP backdoor and gain RCE.

Alt text

Fix

ATutor is no longer maintained so i add a fix by my self https://github.com/atutor/ATutor/pull/170