Skip to content
ATutor 2.2.4 'Backup' Remote Command Execution (CVE-2019-12170)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
1_Atutor_Course.jpg Add files via upload May 13, 2019
3_Atutor_Backups.jpg Add files via upload May 13, 2019
8_Atutor_Payload.jpg Add files via upload May 13, 2019


ATutor 2.2.4 is vulnerable to arbitrary file uploads via the backup function that may result in remote command execution.

First login with the instructor account and select a course:

  • #1 http://[atutor address]/atutor/bounce.php?course=1

Then navigate to "Manage"

  • #2 http://[atutor address]/atutor/tools/index.php

Next select Backups/Upload

  • #3 http://[atutor address]/atutor/mods/_core/backups/upload.php

From here a specially crafted backup zip file i.e "" can be uploaded that will result in remote command execution.

The PoC arbitrary file can be found at: http://[atutor address]/atutor/content/1/pwned/poc.PhP



Note: The "1" in the address will change based on the course number and the "content" directory may be different. However by default the installation calls for the dir name to be "content". This has been tested on both linux/windows installations.

Screenshots included to show exact steps to successfully reenact exploit.

Update: There is no fix for this issue ATutor is no longer being maintained. [5/22/19]

  • Directory traversal is also possible if the content directory is not in the webroot.

For more information on a directory traversal proof of concept check out:

You can’t perform that action at this time.