ATutor 2.2 File Upload

`-------------------------------------------------------------------------  
ATutor <= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability  
-------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
http://www.atutor.ca/  
  
  
[-] Affected Versions:  
  
Version 2.2 and prior versions.   
  
  
[-] Vulnerability Description:  
  
User input passed through the "customicon" when creating a new course is not properly  
sanitized before being uploaded into the /content/ directory. This could be exploited  
to upload and execute arbitrary PHP code. Successful exploitation of this vulnerability  
requires an account with permissions to create new courses.  
  
  
[-] Solution:  
  
Apply the vendor patch.  
  
  
[-] Disclosure Timeline:  
  
[10/10/2014] - Vendor notified  
[13/10/2014] - Vendor response stating this issue will be patched right away  
[02/11/2014] - Vendor patch released: http://update.atutor.ca/patch/2_2/2_2-6/patch.xml  
[30/09/2015] - CVE number requested  
[05/10/2015] - CVE number assigned  
[04/11/2015] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2014-9752 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2015-05  
  
  
`