PT-2005-4203 · Atutor · Atutor

Andreas Sandblad

Published

2005-11-01

Updated

2016-10-18

CVE-2005-3405

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions ATutor versions 1.4.1 through 1.5.1-pl1

Description The issue allows remote attackers to execute arbitrary PHP functions. This is possibly due to an eval injection vulnerability, where an attacker can make a direct request to the "forum.inc.php" endpoint with a modified addslashes parameter. The attack can be performed by setting either the asc or desc parameters.

Recommendations For ATutor versions 1.4.1 through 1.5.1-pl1, consider restricting access to the "forum.inc.php" endpoint until a patch is available. As a temporary workaround, avoid using the addslashes parameter with the asc or desc parameters set in the "forum.inc.php" endpoint.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-3405

Affected Products

Atutor

PT-2005-4203 · Atutor · Atutor

CVE-2005-3405

Related Identifiers

Affected Products

References · 11