[VIM] Re: question about recent advisory (fwd)
security curmudgeon
jericho at attrition.org
Sun May 15 00:34:56 EDT 2005
FYI, don't think I originally sent to the list.
---------- Forwarded message ----------
From: Siegfried <siegfri3d at gmail.com>
To: security curmudgeon <jericho at attrition.org>
Date: Fri, 29 Apr 2005 00:16:53 +0200
Reply-To: Siegfried <Siegfried at zone-h.org>
Subject: Re: question about recent advisory
Hi Brian,
For the 3. yes just multiple variables of these scripts are affected, i didn't
give much details about the 4. to not see the sites using claroline in the
onhold list on zone-h the next day.. :P but for sure i can give you:
claroline/inc/claro_init_header.inc.php
claroline/inc/introductionSection.inc.php
claroline/inc/lib/admin.lib.inc.php
claroline/inc/lib/tool_access_details.lib.php
i didn't know you were part of osvdb jericho, good job!
regards
Siegfried
----- Original Message ----- From: "security curmudgeon"
<jericho at attrition.org>
To: <siegfried at zone-h.org>
Sent: Thursday, April 28, 2005 9:34 PM
Subject: question about recent advisory
>
> Hi Siegfried,
>
> http://archives.neohapsis.com/archives/bugtraq/2005-04/0467.html
>
> In reference to the advisory on Claroline, can you provide a few more details
> so that I can properly enter these vulnerabilities in the Open Source
> Vulnerability Database (osvdb.org)?
>
> You state: Multiple Cross site scripting, 10 SQL injection, 7 directory
> traversal and 4 remote file inclusion vulnerabilities have been found in
> Claroline.
>
> 3)Multiple directory traversal vulnerabilities in
> "claroline/document/document.php" and
> "claroline/learnPath/insertMyDoc.php" could allow project administrators
> (teachers) to upload files in arbitrary folders or copy/move/delete (then
> view) files of arbitrary folders by performing directory traversal
> attacks.
>
>
> Of the directory traversals, are these the only two scripts affected, and the
> 7 come from different variables? Or are other scripts also affected?
>
>
> 4)Four remote file inclusion vulnerabilities have been discovered.
>
> Can you share which files are affected?
>
> Thanks!
>
> Brian
> OSVDB.org
>
More information about the VIM
mailing list