ATutor <= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability

• Affected Versions:

Version 2.2 and prior versions.

• Vulnerability Description:

User input passed through the “customicon” parameter when creating a new course is not properly sanitized before being uploaded into the /content/ directory. This could be exploited to upload and execute arbitrary PHP code. Successful exploitation of this vulnerability should require an account with permissions to create new courses, however it could be exploited in conjunction with KIS-2015-06 in order to bypass the authentication mechanism.

• Solution:

Apply the vendor patch.

• Disclosure Timeline:

[10/10/2014] – Vendor notified

[13/10/2014] – Vendor response stating this issue will be patched right away

[02/11/2014] – Vendor patch released:

[30/09/2015] – CVE number requested

[05/10/2015] – CVE number assigned

[04/11/2015] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2014-9752 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.