Skip to content
ATutor 2.2.4 Arbitrary File Upload / RCE (CVE-2019-12169)
Branch: master
Clone or download
Latest commit 2e043f5 Jun 9, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README.md Jun 9, 2019
atutor-upload-rce.py
poc.zip

README.md

ATutor 2.2.4 Arbitrary File Upload / RCE (CVE-2019-12169)

Description: ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

Greetz: wetw0rk, offsec ^^

Notes: This application is no longer being maintained so there is no fix for this issue.

update: if you wish to test this manually I have included the poc.zip for a better understanding.

You can’t perform that action at this time.