CVE-2019-11446
published 2019-04-22CVE-2019-11446: An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in…
PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.95%
94.0th percentile
An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atutor | atutor | <= 2.2.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart file uploads to /ATutor/mods/_core/file_manager/upload.php where the uploaded filename has a mixed-case PHP extension (e.g., .phP, .Php) to identify filter bypass attempts. ↗
- →Alert on uploads of .shtml or .phtml files to the ATutor file manager, as these dangerous extensions are omitted from the $IllegalExtensions blocklist. ↗
- →Monitor for the exploit's sequential HTTP flow: POST to login.php → POST to create_course.php → POST to upload.php → GET to content/<course_id>/<random8chars>.phP, which indicates automated exploitation. ↗
- →Inspect the User-Agent header for the static value 'Mozilla' used by the Metasploit module across all requests in the exploit chain. ↗
- →Flag POST requests to create_course.php that include a csrftoken field immediately followed by a POST to upload.php with a mixed-case PHP extension filename, as this is the two-step exploit sequence. ↗
- ·The exploit requires the ATutor 'content' directory (AT_CONTENT_DIR) to be located within the web root or its path to be known; if the content folder is outside the web root, the uploaded shell cannot be executed via HTTP. ↗
- ·The $IllegalExtensions blocklist in constants.inc.php only checks lowercase extensions (exe|asp|php|php3|php5|cgi|bat...) and lacks case-sensitive validation, making mixed-case bypasses (.phP, .Php) effective. ↗
- ·The exploit requires a valid teacher-level account; administrator accounts will cause the exploit to abort, and unauthenticated exploitation is not possible. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-04-22
Published