| VID |
21757 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The ATutor software is vulnerable to a command execution vulnerability in the forum.inc.php script. ATutor is an open source web-based Learning Content Management System (LCMS). ATutor version 1.5.1 pl1 and earlier versions are vulnerable to multiple input validation vulnerabilities, which can allow remote attackers to execute arbitrary PHP commands and carry out local file include and cross-site scripting attacks. Successful exploitation of the first two issues requires that PHP's 'register_globals' option be enabled and, in some cases, that the 'magic_quotes_gpc' option be disabled.
* References:
http://secunia.com/secunia_research/2005-55/advisory/
* Platforms Affected:
ATutor version 1.5.1 pl1 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of ATutor (1.5.2 or later), available from the ATutor Download Web page at http://www.atutor.ca/atutor/download.php
-- OR --
Apply the appropriate patch for each versions, available from the ATutor Web site at http://atutor.ca/view/3/6158/1.html |
| Related URL |
CVE-2005-3405 (CVE) |
| Related URL |
15221 (SecurityFocus) |
| Related URL |
(ISS) |
|
