[Full-disclosure] Claroline file inclusion vulnerabilities

Beford posted a tool on milw0rm exploiting some file inclusion
vulnerabilities in claroline:
http://www.milw0rm.com/exploits/1766

if someone wants the complete list of the vulnerable files, here it is:

the "clarolineRepositorySys" parameter in:
"claroline/auth/extauth/drivers/ldap.inc.php",
"claroline/auth/extauth/drivers/atutor.inc.php",
"claroline/auth/extauth/drivers/db-generic.inc.php",
"claroline/auth/extauth/drivers/docebo.inc.php",
"claroline/auth/extauth/drivers/dokeos.1.6.inc.php",
"claroline/auth/extauth/drivers/dokeos.inc.php",
"claroline/auth/extauth/drivers/ganesha.inc.php",
"claroline/auth/extauth/drivers/mambo.inc.php",
"claroline/auth/extauth/drivers/moodle.inc.php",
"claroline/auth/extauth/drivers/phpnuke.inc.php",
"claroline/auth/extauth/drivers/postnuke.inc.php",
"claroline/auth/extauth/drivers/spip.inc.php"

the "includePath" parameter in:
"claroline/auth/extauth/drivers/mambo.inc.php"
"claroline/auth/extauth/drivers/postnuke.inc.php"

and the "claro_CasLibPath" parameter in:
"claroline/auth/extauth/casProcess.inc.php"

after looking at the code, i also found:
claroline/inc/lib/event/init_event_manager.inc.php

[…]
require_once($includePath . '/lib/event/class.event.php');

require_once($includePath . '/lib/event/notifier.php');
[…]

and:

/claroline/inc/lib/export_exe_tracking.class.php

[…]
include_once($rootSys.$clarolineRepositoryAppend.'exercice/question.class.php');
include_once($rootSys.$clarolineRepositoryAppend.'exercice/answer.class.php');
include_once( dirname(FILE) . '/csv.class.php');
[…]

i mailed the claroline staff, i don't wait for a patch because anyway the
ones Beford found are unpatched and public.

Claroline supports register_globals off, it is the solution.

Kevin Fernandez

–
Zone-H Admin
[email protected]
www.zone-h.org
www.zone-h.fr

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/