Claroline claro_init_header.inc.php Remote File Inclusion

2005-04-27T08:26:58
ID OSVDB:16539
Type osvdb
Reporter Sieg Fried(Siegfried@zone-h.org)
Modified 2005-04-27T08:26:58

Description

Vulnerability Description

Claroline contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to claro_init_header.inc.php not properly sanitizing user supplied input. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Solution Description

Upgrade to version 1.5.4, 1.6 final or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Claroline contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to claro_init_header.inc.php not properly sanitizing user supplied input. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

References:

Vendor URL: http://www.claroline.net/ Vendor Specific Advisory URL Security Tracker: 1013822 Secunia Advisory ID:15161 Related OSVDB ID: 16520 Related OSVDB ID: 16537 Related OSVDB ID: 16542 Related OSVDB ID: 16530 Related OSVDB ID: 16540 Related OSVDB ID: 16541 Other Advisory URL: http://www.zone-h.org/advisories/read/id=7472 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0467.html Keyword: Zone-H Research Center Security Advisory 200501 ISS X-Force ID: 20300 CVE-2005-1377 Bugtraq ID: 13407