Back to Claroline Website
Claroline Support

Bugs Claroline 1.8.7 (stable version)
Local File Include Vulnerability (code execution) [FIXED]
   Claroline Support Forum Index -> Bugs Claroline 1.8.7 (stable version) -> Local File Include Vulnerability (code execution) [FIXED]
 
Post new topic   Reply to topic    
View previous topic :: View next topic  
Author Message
munozferna



Joined: 04 Feb 2007
Posts: 8

View user's profile
PostPosted: Tue Jul 31, 2007 12:20 am    Post subject: Local File Include Vulnerability (code execution) [FIXED] Reply with quote
I got across this issue a couple days ago while inspecting language translations, Claroline doesn't validate the user supplied parameter for language, so by ussing something like ./../../../../../../../../../../../etc/passwd%00 it will allow to include files, this can be abussed to read system configuration files, and execute code if users are allowed to upload txt or image files with php code, or injecting PHP code in httpd logs and including them. This bug seems to affect several instalations regardless magic_quotes_gpc settings since claroline uses an internal funcion for disabling it.

url removed I removed the url for more confidentiality (Mathieu Laurent)

Although is kinda obvious, the vulnerable code is on this file:

http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/inc/lib/language.lib.php?view=markup
- Fernando Muņoz
Back to top  
marlon



Joined: 08 Mar 2005
Posts: 18

View user's profile
PostPosted: Tue Jul 31, 2007 1:58 am    Post subject: Reply with quote
itīs a problem....
Back to top  
zefredz
Contributeurs Actif Forum


Joined: 02 Sep 2004
Posts: 357
Location: Belgium, LLN
View user's profile
PostPosted: Tue Jul 31, 2007 7:14 am    Post subject: Reply with quote
Hello Fernando,

Thanks a lot for reporting this important issue.

I have reported it on our bug tracker http://jupiter.cerdecam.be/bug/view.php?id=943 and we will correct it in the next few hours and provide a patch.

Regards,
_________________
ZeFredz - Frederic Minne - Claroline Team
Claroline Metrics
Back to top  
zefredz
Contributeurs Actif Forum


Joined: 02 Sep 2004
Posts: 357
Location: Belgium, LLN
View user's profile
PostPosted: Tue Jul 31, 2007 8:43 am    Post subject: Reply with quote
The bug is fixed, here is the diff : http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/inc/lib/language.lib.php?r1=1.28.2.1&r2=1.28.2.2

We will provide a patch or release a new version of Claroline as soon as possible.

Regards,
_________________
ZeFredz - Frederic Minne - Claroline Team
Claroline Metrics
Back to top  
munozferna



Joined: 04 Feb 2007
Posts: 8

View user's profile
PostPosted: Wed Aug 01, 2007 4:09 am    Post subject: Reply with quote
This may sound kind of selfish, but there is a section on http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/CREDITS.txt?view=markup that needs to get updated too :P

- Fernando Muņoz
Back to top  
zefredz
Contributeurs Actif Forum


Joined: 02 Sep 2004
Posts: 357
Location: Belgium, LLN
View user's profile
PostPosted: Wed Aug 01, 2007 7:16 am    Post subject: Reply with quote
Hello Fernando,

Yes, the credits file is completely outdated. Even the core teams at Cerdecam and IPM are no longer correct.

We will update the file as soon as possible and add your name to the security section.

Regards,
_________________
ZeFredz - Frederic Minne - Claroline Team
Claroline Metrics
Back to top  
Display posts from previous:   
Post new topic   Reply to topic    Claroline Support Forum Index -> Bugs Claroline 1.8.7 (stable version) All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2007 phpBB Group :: Icons from Tango Project