Re: Claroline <= 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit by rgod

["Siegfried" <admin () zone-h fr>]

My bad, i didn't check well, the xss isn't in an error message for this one.
I had one example, when an invalid function is called (if its name is
based on user supplied data, yes some people code like this.. i saw one
example in a famous portal), there was an xss in the error message,
however i checked now and this was fixed in php 5.1.2 with other ones,
maybe there are still some though.
i know nobody cares about xss when they're not permanent, but if it's in
php itself..


Le Ven 31 mars 2006 11:57, Siegfried a écrit :
> I just wanted to comment rgod's Claroline <= 1.7.4 (scormExport.inc.php)
> Remote Code Execution Exploit:
>
> http://www.milw0rm.com/exploits/1627
>
> http://retrogod.altervista.org/claroline_174_incl_xpl.html
>
> http://secunia.com/advisories/19461/
>
> The file inclusion vulnerability just affects the 1.7 branch, however when
> installing claroline it says to turn register_globals on and older
> versions were _just_ working with register_globals set to on (if i
> remember well), so huh.. many are probably vuln.
>
> About the xss, it is an xss in the php error message, there are many php
> functions returning errors without filtering them, anybody noted that?


-- 
Zone-H Admin
admin () zone-h fr
www.zone-h.org
www.zone-h.fr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/