lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon May  8 16:55:57 2006
From: admin at zone-h.fr (Siegfried)
Subject: Claroline file inclusion vulnerabilities

Beford posted a tool on milw0rm exploiting some file inclusion
vulnerabilities in claroline:
http://www.milw0rm.com/exploits/1766

if someone wants the complete list of the vulnerable files, here it is:

the "clarolineRepositorySys" parameter in:
"claroline/auth/extauth/drivers/ldap.inc.php",
"claroline/auth/extauth/drivers/atutor.inc.php",
"claroline/auth/extauth/drivers/db-generic.inc.php",
"claroline/auth/extauth/drivers/docebo.inc.php",
"claroline/auth/extauth/drivers/dokeos.1.6.inc.php",
"claroline/auth/extauth/drivers/dokeos.inc.php",
"claroline/auth/extauth/drivers/ganesha.inc.php",
"claroline/auth/extauth/drivers/mambo.inc.php",
"claroline/auth/extauth/drivers/moodle.inc.php",
"claroline/auth/extauth/drivers/phpnuke.inc.php",
"claroline/auth/extauth/drivers/postnuke.inc.php",
"claroline/auth/extauth/drivers/spip.inc.php"

the "includePath" parameter in:
 "claroline/auth/extauth/drivers/mambo.inc.php"
"claroline/auth/extauth/drivers/postnuke.inc.php"

and the "claro_CasLibPath" parameter in:
 "claroline/auth/extauth/casProcess.inc.php"


after looking at the code, i also found:
claroline/inc/lib/event/init_event_manager.inc.php

[..]
require_once($includePath . '/lib/event/class.event.php');

require_once($includePath . '/lib/event/notifier.php');
[..]

and:

/claroline/inc/lib/export_exe_tracking.class.php

[..]
include_once($rootSys.$clarolineRepositoryAppend.'exercice/question.class.php');
include_once($rootSys.$clarolineRepositoryAppend.'exercice/answer.class.php');
include_once( dirname(__FILE__) . '/csv.class.php');
[..]

i mailed the claroline staff, i don't wait for a patch because anyway the
ones Beford found are unpatched and public.

Claroline supports register_globals off, it is the solution.

Kevin Fernandez

-- 
Zone-H Admin
admin@...e-h.fr
www.zone-h.org
www.zone-h.fr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ