CVE-2005-3405

Name of the Vulnerable Software and Affected Versions ATutor versions 1.4.1 through 1.5.1-pl1

Description The issue allows remote attackers to execute arbitrary PHP functions. This is possibly due to an eval injection vulnerability, where an attacker can make a direct request to the "forum.inc.php" endpoint with a modified addslashes parameter. The attack can be performed by setting either the asc or desc parameters.

Recommendations For ATutor versions 1.4.1 through 1.5.1-pl1, consider restricting access to the "forum.inc.php" endpoint until a patch is available. As a temporary workaround, avoid using the addslashes parameter with the asc or desc parameters set in the "forum.inc.php" endpoint.