[VIM] Re: question about recent advisory (fwd)

security curmudgeon jericho at attrition.org
Sun May 15 00:34:56 EDT 2005 

FYI, don't think I originally sent to the list.

---------- Forwarded message ----------
From: Siegfried <siegfri3d at gmail.com>
To: security curmudgeon <jericho at attrition.org>
Date: Fri, 29 Apr 2005 00:16:53 +0200
Reply-To: Siegfried <Siegfried at zone-h.org>
Subject: Re: question about recent advisory

Hi Brian,
For the 3. yes just multiple variables of these scripts are affected, i didn't 
give much details about the 4. to not see the sites using claroline in the 
onhold list on zone-h the next day.. :P but for sure i can give you:
claroline/inc/claro_init_header.inc.php
claroline/inc/introductionSection.inc.php
claroline/inc/lib/admin.lib.inc.php
claroline/inc/lib/tool_access_details.lib.php
i didn't know you were part of osvdb jericho, good job!
regards
Siegfried

----- Original Message ----- From: "security curmudgeon" 
<jericho at attrition.org>
To: <siegfried at zone-h.org>
Sent: Thursday, April 28, 2005 9:34 PM
Subject: question about recent advisory


> 
> Hi Siegfried,
> 
> http://archives.neohapsis.com/archives/bugtraq/2005-04/0467.html
> 
> In reference to the advisory on Claroline, can you provide a few more details 
> so that I can properly enter these vulnerabilities in the Open Source 
> Vulnerability Database (osvdb.org)?
> 
> You state: Multiple Cross site scripting, 10 SQL injection, 7 directory
>  traversal and 4 remote file inclusion vulnerabilities have been found in
>  Claroline.
> 
>  3)Multiple directory traversal vulnerabilities in
>  "claroline/document/document.php" and
>  "claroline/learnPath/insertMyDoc.php" could allow project administrators
>  (teachers) to upload files in arbitrary folders or copy/move/delete (then
>  view) files of arbitrary folders by performing directory traversal
>  attacks.
> 
> 
> Of the directory traversals, are these the only two scripts affected, and the 
> 7 come from different variables? Or are other scripts also affected?
> 
> 
>  4)Four remote file inclusion vulnerabilities have been discovered.
> 
> Can you share which files are affected?
> 
> Thanks!
> 
> Brian
> OSVDB.org
>

More information about the VIM mailing list