CVE-2019-11446

Name of the Vulnerable Software and Affected Versions ATutor versions prior to 2.2.5

Description An issue in ATutor allows a user with teacher privileges to run commands on the server. The File Manager's Upload Files section contains an arbitrary file upload vulnerability via the "upload.php" endpoint. The $IllegalExtensions value is case-sensitive and only lists lowercase extensions, which can be bypassed by using uppercase extensions (e.g., .phP). Additionally, the value omits .shtml and .phtml extensions.

Recommendations For ATutor versions prior to 2.2.5, update to version 2.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Upload Files section in the File Manager to prevent exploitation. Additionally, modify the $IllegalExtensions value to include both lowercase and uppercase extensions, as well as .shtml and .phtml extensions, to prevent bypasses.