[VIM] Almost: claroline <= Multiple Remote File Include Vulnerablitiy

George A. Theall theall at tenablesecurity.com
Mon Apr 23 20:40:32 UTC 2007


Anyone else seem this (BID 23609)?

   http://www.securityfocus.com/archive/1/466661/30/0/threaded

Looking at the code from 
http://www.e-learningone.it/software_free/e-learning/claroline175.zip, I 
don't see a file named 'rootSys' in 'claroline/inc/lib'. Nor does it 
seem like the flaw lies in the 'index.php' file in that directory -- it 
has one executable line of code:

   header("Location:../../../");

There is, though, a file named 'export_exe_tracking.class.php' that is 
probably what he was talking about. Its first non-comment line is:

 
include_once($rootSys.$clarolineRepositoryAppend.'exercice/question.class.php');

And the issue was corrected with some patches on 10 May 2006; ie,

 
http://www.claroline.net/wiki/index.php/Talk:Manual_security_hack_in_1.6_and_1.7


George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list