ATutor Backup Arbitrary File uploads

Question

ATutor Backup Arbitrary File uploads

fuzzlove opened this issue 5 years ago · 3 comments

Dear ATutor,

I have found an issue with ATutor 2.2.4 and prior that allows users to upload arbitrary files and can result in remote code execution. The specific method that I have found uses the instructor account and the Backup function. https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File I realize there is a similar issue in CVE-2019-11446 but I just wanted to make sure that you are aware.

Best regards

Answer 1 · 2019-05-19T16:14:33.000Z

@atutor Can you check this case. I'm not sure why @fuzzlove closed this.

Answer 2 · 2019-05-19T16:27:23.000Z

@atutor Can you check this case. I'm not sure why @fuzzlove closed this.

Re-opened, my mistake.

Answer 3 · 2019-05-22T08:25:23.000Z

Thanks all. ATutor is no longer being maintained, but we’ll take pull requests to patch issues,