Dokeos is an Open Source elearning and course management web application
translated in 34 languages
and helping more than 1.000 organisations worldwide to manage learning and
collaboration activities.
Vulnerability.
Dokeos was built using Claroline's code; it inherited several of its
features including an old version
of phpBB which is being used as the forum for the courses. There is a
problem in the ?viewtopic.php",
where the $topic variable is not correctly sanitized and $forumview is
equal to ?threaded", that would
allow an attacker to inject arbitrary code to the application.
Impact
An attacker could use Blind SQL Injection to gain access to privileged
data like the password hashes
for the administrator user and so on.
Rodrigo Guitierrez <rodrigo (at) secure (dot) cl [email concealed]>
University of Los Lagos in Chile "for lending the required equipment for
testing" >:D
full-disclosure (at) list.grok.org (dot) uk [email concealed]
bugtraq (at) securityfocus (dot) com [email concealed], info (at) securiteam (dot) com [email concealed],
submissions (at) packetstormsecurity (dot) org [email concealed], rodrigo (at) secure (dot) cl [email concealed]
Author: Alvaro Olavarria <aolavarria (at) secure (dot) cl [email concealed]>
Affected: Dokeos <= 1.6.4
Status: Notified hereby
Vendor url: http://www.dokeos.com
Background.
Dokeos is an Open Source elearning and course management web application
translated in 34 languages
and helping more than 1.000 organisations worldwide to manage learning and
collaboration activities.
Vulnerability.
Dokeos was built using Claroline's code; it inherited several of its
features including an old version
of phpBB which is being used as the forum for the courses. There is a
problem in the ?viewtopic.php",
where the $topic variable is not correctly sanitized and $forumview is
equal to ?threaded", that would
allow an attacker to inject arbitrary code to the application.
Impact
An attacker could use Blind SQL Injection to gain access to privileged
data like the password hashes
for the administrator user and so on.
Proof of Concept
http://localhost/claroline/phpbb/viewtopic.php?cidReq=102&gidReq=&forum=
1&0&forumview=threaded&topic=1[blind_sql_inject]
Greetings
Rodrigo Guitierrez <rodrigo (at) secure (dot) cl [email concealed]>
University of Los Lagos in Chile "for lending the required equipment for
testing" >:D
full-disclosure (at) list.grok.org (dot) uk [email concealed]
bugtraq (at) securityfocus (dot) com [email concealed], info (at) securiteam (dot) com [email concealed],
submissions (at) packetstormsecurity (dot) org [email concealed], rodrigo (at) secure (dot) cl [email concealed]
[ reply ]