Overview of ATutor
ATutor is an Open Source Web-based Learning Management System (LMS) used to develop and deliver online courses.
https://atutor.github.io/atutor/index.html
Affected version: =< 2.2.4
The vulnerability
The application has weak access controls on the /ATutor/install/include/step5.php which is part of the installation scripts that is responsible for setting the database connection info and the content directory.
if ($_POST['step1']['db_login']) {
$db_login = $_POST['step1']['db_login'];
$db_pwd = $_POST['step1']['db_password'];
$db_host = $_POST['step1']['db_host'];
$db_port = $_POST['step1']['db_port'];
$db_name = $_POST['step1']['db_name'];
$tb_prefix = $_POST['step1']['tb_prefix'];
$content_dir = $_POST['step1']['content_dir'];
$smtp = $_POST['step1']['smtp'];
.................................
.................................
if (!write_config_file('../include/config.inc.php',
$db_login,
$db_pwd,
$db_host,
$db_port,
$db_name,
$tb_prefix,
$comments,
$content_dir,
$smtp,
$get_file
))
the reason behind the weak access control is insufficent access control IF statment in the file /ATutor/install/include/header.php that only restrict the access to the first 3 steps of the installation process.
if ($step < 4) {
error_reporting(0);
include('../include/config.inc.php');
error_reporting(E_ALL ^ E_NOTICE);
if (defined('AT_INSTALL')) {
include_once(AT_INSTALLER_INCLUDE_PATH.'common.inc.php');
echo print_meta_redirect();
exit;
}
}
Impact
An unauthenticated attacker can send crafted request to trigger the vulnerable function and change the database connection details that the application use (db_host, db_port, db_login, db_password) and force the application to use his own database which he has prepared.
Now the attacker will be able to login to the application with an account from his fake database, then he will change the value of content_dir which is used by the application to store the uploaded files to the web application root directory.
He can then upload PHP backdoor and gain RCE.
Fix
ATutor is no longer maintained so i add a fix by my self https://github.com/atutor/ATutor/pull/170
