[<prev] [next>] [day] [month] [year] [list]
Message-ID: <59599.217.201.69.117.1143829993.squirrel@webmail.zone-h.fr>
Date: Fri Mar 31 19:33:12 2006
From: admin at zone-h.fr (Siegfried)
Subject: Claroline <= 1.7.4 (scormExport.inc.php)
Remote Code Execution Exploit by rgod
My bad, i didn't check well, the xss isn't in an error message for this one.
I had one example, when an invalid function is called (if its name is
based on user supplied data, yes some people code like this.. i saw one
example in a famous portal), there was an xss in the error message,
however i checked now and this was fixed in php 5.1.2 with other ones,
maybe there are still some though.
i know nobody cares about xss when they're not permanent, but if it's in
php itself..
Le Ven 31 mars 2006 11:57, Siegfried a ?crit :
> I just wanted to comment rgod's Claroline <= 1.7.4 (scormExport.inc.php)
> Remote Code Execution Exploit:
>
> http://www.milw0rm.com/exploits/1627
>
> http://retrogod.altervista.org/claroline_174_incl_xpl.html
>
> http://secunia.com/advisories/19461/
>
> The file inclusion vulnerability just affects the 1.7 branch, however when
> installing claroline it says to turn register_globals on and older
> versions were _just_ working with register_globals set to on (if i
> remember well), so huh.. many are probably vuln.
>
> About the xss, it is an xss in the php error message, there are many php
> functions returning errors without filtering them, anybody noted that?
>
--
Zone-H Admin
admin@...e-h.fr
www.zone-h.org
www.zone-h.fr
Powered by blists - more mailing lists