Vulnerability Description
config.inc.php in ATutor 1.5.1, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which allows authenticated administrators or educators to execute arbitrary code by uploading files with other executable extensions such as .inc, .php4, or others.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adaptive Technology Resource Centre | Atutor | 1.5.1 |
References
- http://marc.info/?l=bugtraq&m=112671176100432&w=2
- http://rgod.altervista.org/atutor151.htmlExploitVendor Advisory
- http://marc.info/?l=bugtraq&m=112671176100432&w=2
- http://rgod.altervista.org/atutor151.htmlExploitVendor Advisory
FAQ
What is CVE-2005-2955?
CVE-2005-2955 is a vulnerability with a CVSS score of 4.6 (MEDIUM). config.inc.php in ATutor 1.5.1, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which allows authenticated administrators or educators to execute ar...
How severe is CVE-2005-2955?
CVE-2005-2955 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2005-2955?
Check the references section above for vendor advisories and patch information. Affected products include: Adaptive Technology Resource Centre Atutor.