Claroline Open Source e-Learning 1.7.5 Remote File Include

2006.05.12
Credit: beford
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

############# # Description ############# # Vendor: http://www.claroline.net # The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable # clarolineRepositorySys in a include() function without being declared. # There are other files vulnerable in the same folder, this exploit only # attacks ldap.inc.php # # There is other vulnerable file claroline/auth/extauth/casProcess.inc.php # it uses the claro_CasLibPath in a include function but this is not being # declared either, so pwnt, RFI. Vendor was contacted through email, # no response, so i just posted this here and on its forum. ############ # Vulnerable code (lda.inc.php) ############ # return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php'; ############ # Vulnerable code (casProcess.inc.php) ############ #if ( ! isset($_SESSION['init_CasCheckinDone'] ) # || $logout # || ( basename($_SERVER['SCRIPT_NAME']) == 'login.php' && isset($_REQUEST['authModeReq']) && $_REQUEST['authModeReq'] == 'CAS' ) # || isset($_REQUEST['fromCasServer']) ) #{ # include_once $claro_CasLibPath; ############ # Check www.milw0rm.com for the exploit code. ############ # Greets # ][GB][ Zetha Wlion desKrriado uyx ASC ############


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top