| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7cb43cb30605072345h4d617fd1y48a384471b0b540b@mail.gmail.com>
Date: Mon, 8 May 2006 01:45:49 -0500
From: beford <xbefordx@...il.com>
To: bugs@...uritytracker.com, bugtraq@...urityfocus.com
Subject: Claroline Open Source e-Learning 1.7.5 Remote File Include
#############
# Description
#############
# Vendor: http://www.claroline.net
# The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable
# clarolineRepositorySys in a include() function without being declared.
# There are other files vulnerable in the same folder, this exploit only
# attacks ldap.inc.php
#
# There is other vulnerable file claroline/auth/extauth/casProcess.inc.php
# it uses the claro_CasLibPath in a include function but this is not being
# declared either, so pwnt, RFI. Vendor was contacted through email,
# no response, so i just posted this here and on its forum.
############
# Vulnerable code (lda.inc.php)
############
# return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php';
############
# Vulnerable code (casProcess.inc.php)
############
#if ( ! isset($_SESSION['init_CasCheckinDone'] )
# || $logout
# || ( basename($_SERVER['SCRIPT_NAME']) == 'login.php' &&
isset($_REQUEST['authModeReq']) && $_REQUEST['authModeReq'] == 'CAS' )
# || isset($_REQUEST['fromCasServer']) )
#{
# include_once $claro_CasLibPath;
############
# Check www.milw0rm.com for the exploit code.
############
# Greets
# ][GB][ Zetha Wlion desKrriado uyx ASC
############
Powered by blists - more mailing lists