ATutor <= 2.2 (edit_marks.php) PHP Code Injection Vulnerability

http://www.atutor.ca

• Affected Versions:

Version 2.2 and prior versions.

• Vulnerability Description:

The vulnerable code is located in the /mods/_standard/gradebook/edit_marks.php script:

54if (isset($_GET['asc'])) 
55{
56    $order = 'asc';
57    $order_col = $addslashes($_GET['asc']);
58} 
59else if (isset($_GET['desc'])) {
60    $order = 'desc';
61    $order_col = $addslashes($_GET['desc']);
185if ((isset($_GET["asc"]) || isset($_GET["desc"])) && $order_col <> "name")
186{
187    $sort = '$grades['.$order_col.'], SORT_'.strtoupper($order).', $selected_students, SORT_'.strtoupper($order);
188     
189    foreach($selected_tests as $test)
190    {
191        if ($test["gradebook_test_id"] <> $order_col)
192            $sort .= ', $grades['.$test["gradebook_test_id"].'], SORT_'.strtoupper($order);
193    }
194    $sort='array_multisort('.$sort.');';
195    eval($sort);
196}

User input passed through the “asc” or “desc” GET parameters is not properly sanitized before being used in a call to eval() at line 195. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability should require an account with the “AT_PRIV_GRADEBOOK” privilege, however it could be exploited in conjunction with KIS-2015-06 in order to bypass the authentication mechanism.

• Solution:

No official solution is currently available.

• Disclosure Timeline:

[06/10/2014] – Vendor notified

[09/10/2014] – Vendor response stating this issue has been added to the bug tracker and it is relatively minor

[13/10/2014] – Vendor replied saying he is not able to reproduce the issue and asked for further details

[29/10/2014] – Further exploitation details have been provided to the vendor

[11/11/2014] – Vendor replied saying he still is not able to reproduce the issue and asked for fix suggestions

[11/11/2014] – Some fix suggestions have been provided to the vendor

[30/09/2015] – CVE number requested

[05/10/2015] – CVE number assigned

[06/10/2015] – After one year still no official solution available

[04/11/2015] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-7712 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.