OLIB 7 WebView 2.5.1.1 (infile) Local File Inclusion Vulnerability

2008.12.23
Credit: ZeN
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2008-5678
CWE: CWE-20


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Security Advisory for 'OLIB 7 Webview' This software is apart of Moodle. Software - OLIB 7 WebView v2.5.1.1 Exploit - LFI Severity - High Author - ZeN website - http://dusecurity.com/ Date - 2nd October 2008 DUSecurity Team / DarkCode Exploit > http://olib.site.com/cgi/?session=[session_key]&infile=[LFI] files in dir - get_settings.ini, setup.ini(contains config file locations), text.ini Info - You need to login to get a valid session key. ------------------ Extraz : Moodle Permanent XSS In Moodle blogging system, simply make a new blog entry with the title <script>alert()</script> Now everyone that visits the bloggins system with execute your XSS. Go get some cookies =D Enjoy! ------------------ Shouts :- DUSecurity.com DarkCode.me iWannaHack WL-Group

References:

http://xforce.iss.net/xforce/xfdb/45638
http://www.securityfocus.com/bid/31544
http://www.milw0rm.com/exploits/6653


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top