[VIM] Almost: claroline <= Multiple Remote File Include Vulnerablitiy
George A. Theall
theall at tenablesecurity.com
Mon Apr 23 20:40:32 UTC 2007
Anyone else seem this (BID 23609)?
http://www.securityfocus.com/archive/1/466661/30/0/threaded
Looking at the code from
http://www.e-learningone.it/software_free/e-learning/claroline175.zip, I
don't see a file named 'rootSys' in 'claroline/inc/lib'. Nor does it
seem like the flaw lies in the 'index.php' file in that directory -- it
has one executable line of code:
header("Location:../../../");
There is, though, a file named 'export_exe_tracking.class.php' that is
probably what he was talking about. Its first non-comment line is:
include_once($rootSys.$clarolineRepositoryAppend.'exercice/question.class.php');
And the issue was corrected with some patches on 10 May 2006; ie,
http://www.claroline.net/wiki/index.php/Talk:Manual_security_hack_in_1.6_and_1.7
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list