ATutor Course Server Rfi

vendor:

ATutor Course Server

by:

IRCRASH (R3d.W0rm)

9.3

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: ATutor Course Server

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2007

A Remote File Inclusion (RFI) vulnerability exists in ATutor Course Server, which allows an attacker to include a remote file containing malicious code, resulting in arbitrary code execution. This vulnerability is due to insufficient sanitization of user-supplied input to the 't_file' parameter of the 'import.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request containing a URL in the 't_file' parameter. Successful exploitation of this vulnerability can result in arbitrary code execution.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to apply the patch immediately after appropriate testing.

Source

Exploit-DB raw data:

#####################################################################################
####                         ATutor Course Server Rfi                            ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
#Discovered by : IRCRASH (R3d.W0rm)                                                 #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm                                         #
#####################################################################################
#                                                                                   #
#Script Download : www.atutor.ca                                                    #
#                                                                                   #
#DORK : "Web site engine's code is copyright Â© 2001-2007 ATutorÂ®"                   #
#                                                                                   #
#Note : You must login , then use rfi bug  ;)                                       #
#####################################################################################
#                                       [Rfi]                                       #
#                                                                                   #
#http://Example/tools/packages/import.php                                           #
#                                                                                   #
#                                    [Valun Code]                                   #
#  ....                                                                             #
# if (isset ($_POST['type'])) {                                                     #
#	require ($_POST['type'] . '/import.php');                                   #
#}                                                                                  #
#  ....                                                                             #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-07-28]