[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Claroline file inclusion vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Claroline file inclusion vulnerabilities
From: "Siegfried" <admin@xxxxxxxxx>
Date: Mon, 8 May 2006 17:55:46 +0200 (CEST)

Beford posted a tool on milw0rm exploiting some file inclusion
vulnerabilities in claroline:
http://www.milw0rm.com/exploits/1766

if someone wants the complete list of the vulnerable files, here it is:

the "clarolineRepositorySys" parameter in:
"claroline/auth/extauth/drivers/ldap.inc.php",
"claroline/auth/extauth/drivers/atutor.inc.php",
"claroline/auth/extauth/drivers/db-generic.inc.php",
"claroline/auth/extauth/drivers/docebo.inc.php",
"claroline/auth/extauth/drivers/dokeos.1.6.inc.php",
"claroline/auth/extauth/drivers/dokeos.inc.php",
"claroline/auth/extauth/drivers/ganesha.inc.php",
"claroline/auth/extauth/drivers/mambo.inc.php",
"claroline/auth/extauth/drivers/moodle.inc.php",
"claroline/auth/extauth/drivers/phpnuke.inc.php",
"claroline/auth/extauth/drivers/postnuke.inc.php",
"claroline/auth/extauth/drivers/spip.inc.php"

the "includePath" parameter in:
 "claroline/auth/extauth/drivers/mambo.inc.php"
"claroline/auth/extauth/drivers/postnuke.inc.php"

and the "claro_CasLibPath" parameter in:
 "claroline/auth/extauth/casProcess.inc.php"


after looking at the code, i also found:
claroline/inc/lib/event/init_event_manager.inc.php

[..]
require_once($includePath . '/lib/event/class.event.php');

require_once($includePath . '/lib/event/notifier.php');
[..]

and:

/claroline/inc/lib/export_exe_tracking.class.php

[..]
include_once($rootSys.$clarolineRepositoryAppend.'exercice/question.class.php');
include_once($rootSys.$clarolineRepositoryAppend.'exercice/answer.class.php');
include_once( dirname(__FILE__) . '/csv.class.php');
[..]

i mailed the claroline staff, i don't wait for a patch because anyway the
ones Beford found are unpatched and public.

Claroline supports register_globals off, it is the solution.

Kevin Fernandez

-- 
Zone-H Admin
admin@xxxxxxxxx
www.zone-h.org
www.zone-h.fr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [XPA] ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability
Next by Date: Re: [Full-disclosure] **LosseChange::Debunk it??**
Previous by thread: [Full-disclosure] [XPA] ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability
Next by thread: [Full-disclosure] ZDI-06-012: Sophos Anti-Virus CAB Unpacking Code Execution Vulnerability
Index(es):
- Date
- Thread