CVE-2021-43498
📋 TL;DR
This vulnerability in ATutor 2.2.4 allows attackers to bypass password reset authentication by manipulating specific HTTP POST parameters in password_reminder.php. It enables unauthorized password changes for any user account. All ATutor installations running version 2.2.4 are affected.
💻 Affected Systems
- ATutor Learning Management System
📦 What is this software?
Atutor by Atutor
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user including administrators, leading to data theft, privilege escalation, and system compromise.
Likely Case
Unauthorized password reset for regular users, enabling account hijacking and potential lateral movement within the system.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still represents authentication bypass.
🎯 Exploit Status
Exploitation requires sending specially crafted POST requests to password_reminder.php with manipulated parameters. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ATutor 2.2.5 and later
Vendor Advisory: https://github.com/atutor/ATutor/releases
Restart Required: No
Instructions:
1. Download ATutor 2.2.5 or later from the official repository. 2. Backup your current installation. 3. Replace the vulnerable password_reminder.php file with the patched version. 4. Verify no custom modifications are overwritten.
🔧 Temporary Workarounds
Disable password reminder functionality
linuxTemporarily disable the password reset feature by removing or renaming password_reminder.php
mv /path/to/atutor/password_reminder.php /path/to/atutor/password_reminder.php.disabled
Implement web application firewall rules
allBlock requests containing the vulnerable parameter combinations
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the ATutor instance
- Enable detailed logging of all password reset attempts and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if password_reminder.php exists in your ATutor installation and examine the version in includes/constants.phpCheck Version:
grep 'VERSION' /path/to/atutor/includes/constants.phpVerify Fix Applied:
Verify the ATutor version is 2.2.5 or higher, and check that password_reminder.php has proper parameter validation📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Successful password resets without corresponding email verification
- POST requests to password_reminder.php with unusual parameter combinations
Network Indicators:
- HTTP POST requests to /password_reminder.php containing g, id, h, form_password_hidden, and form_change parameters
- Rapid succession password reset attempts
SIEM Query:
source="web_logs" url="*password_reminder.php*" method="POST" | stats count by src_ip🔗 References
- https://github.com/atutor/ATutor/blob/master/password_reminder.php
- https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html
- https://github.com/atutor/ATutor/blob/master/password_reminder.php
- https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html
