[原文]Multiple PHP file inclusion vulnerabilities in ATutor 1.4.1 through 1.5.1-pl1 allow remote attackers to include arbitrary files via the section parameter followed by a null byte (%00) in (1) body_header.inc.php and (2) print.php.
ATutor body_header.inc.php section Parameter Local File Inclusion
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
ATutor contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'body_header.inc.php' not properly sanitizing user input supplied to the 'section' variable. This may allow a remote attacker to include arbitrary files from the local host and view any accessible file on the system resulting in a loss of confidentiality.
Upgrade to version 1.5.2 or higher, as it has been reported to fix this vulnerability. In addition, ATutor has released a patch for some older versions.