Back to Claroline Website
Claroline Support

Bugs Claroline 1.7.9 (old stable version)
Security Issue
   Claroline Support Forum Index -> Bugs Claroline 1.7.9 (old stable version) -> Security Issue
 
Post new topic   Reply to topic    
View previous topic :: View next topic  
Author Message
beford



Joined: 08 May 2006
Posts: 1

View user's profile
PostPosted: Mon May 08, 2006 6:57 am    Post subject: Security Issue Reply with quote
PATCH AIVAILABLE
Read the news
http://www.claroline.net/news.php

I've triend mailing info@claroline.net but i didnt get a response so i'll send a pm to the admin of the forums, just to recommend the use of safe mode in php, and/or disable URL access for includes in php.

Edit: oh, private messages have been disabled, sucks, i'll have to disclose the bug here. There are several files in the claroline/auth/extauth/ folder that are vulnerable to remote file includes,

claroline/auth/extauth/drivers/ldap.inc.php?clarolineRepositorySys=
claroline/auth/extauth/casProcess.inc.php?claro_CasLibPath=

This would allow remote command execution in current claroline version.
Back to top  
Hugues
Contributeurs Actif Forum


Joined: 16 Apr 2002
Posts: 2010
Location: Belgium
View user's profile
PostPosted: Mon May 08, 2006 10:36 am    Post subject: Reply with quote
The security hole only affects PHP system configured with register_globals set to on (this parameters is to off by default in PHP distributions since PHP 4.2). A patch fixing the security hole will be rapidly available. Our development team is famous for reacting fast in that kind of circumstances. You can count on us ! While waiting, if you're on Claroline 1.7, we suggest to set your system to register_globals = off. This is safer for your system.
_________________
Life is too short : use Claroline !
Back to top  
mathieu
Contributeurs Actif Forum


Joined: 09 Apr 2004
Posts: 4335
Location: Belgium, Bruxelles, Soignies
View user's profile
PostPosted: Mon May 08, 2006 10:50 am    Post subject: Reply with quote
We have fixed the holes in the 1.6, 1.7 and main branch of the claroline cvs.

News, patches and releases will be on line today.

While waiting, you can fix these scripts :

in claroline/auth/extauth/drivers/*.inc.php

replace this line :

Code:
return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php';


by :

Code:
return require dirname(__FILE__).'/../extAuthProcess.inc.php';


claroline/auth/extauth/casProcess.inc.php

add this line :

Code:
if ((bool) stristr($_SERVER['PHP_SELF'], basename(__FILE__))) die();

There is also a dedicated page on the security here : http://www.claroline.net/wiki/index.php/Security

For more security, claroline 1.7 can work with :

Code:
register_globals off
allow_url_fopen off


Regards

Mathieu
_________________
Mathieu Laurent - Support the Claroline project - Donate today ! -
Back to top  
mathieu
Contributeurs Actif Forum


Joined: 09 Apr 2004
Posts: 4335
Location: Belgium, Bruxelles, Soignies
View user's profile
PostPosted: Wed May 10, 2006 10:54 am    Post subject: Reply with quote
Patch available on the website :

Quote:
Claroline Security Alerts

Several security holes have just been detected in Claroline 1.7.* and 1.6.*

Platform Claroline 1.7.* running PHP in register_globals off or allow_url_fopen off are not vulnerable.

We seriously advise all people using Claroline 1.6 or php with register_globals configuration enabled to patch their platform as soon as possible.

More advices on the security of your claroline platform are here.

Download the patches at these addresses :

* Claroline 1.7 : http://www.claroline.net/dlarea/claroline.patch17501.zip
* Claroline 1.6 : http://www.claroline.net/dlarea/claroline.patch16401.zip

How to apply the patch

* Uncompress the zip archive file 'claroline.patch1**01.zip'.
* Copy the 'claroline' directory found inside that archive on the 'claroline' directory already available on your web server.


Mathieu
_________________
Mathieu Laurent - Support the Claroline project - Donate today ! -
Back to top  
marina
Contributeurs Actif Forum


Joined: 23 Aug 2005
Posts: 65

View user's profile
PostPosted: Wed May 10, 2006 1:04 pm    Post subject: file auth.conf.php in patch Reply with quote
Hello,

We're currently applying the patches you gave on your website. It seems that you put the file auth.conf.php instead of auth.conf.php.dist, so people are going to override their authentication settings !

Best regards
Marina
Back to top  
mathieu
Contributeurs Actif Forum


Joined: 09 Apr 2004
Posts: 4335
Location: Belgium, Bruxelles, Soignies
View user's profile
PostPosted: Wed May 10, 2006 1:15 pm    Post subject: Reply with quote
Thanks, I fix that !
_________________
Mathieu Laurent - Support the Claroline project - Donate today ! -
Back to top  
mathieu
Contributeurs Actif Forum


Joined: 09 Apr 2004
Posts: 4335
Location: Belgium, Bruxelles, Soignies
View user's profile
PostPosted: Wed May 10, 2006 1:19 pm    Post subject: Reply with quote
It's fixed. Thanks a lot for the help.

Regards

Mathieu
_________________
Mathieu Laurent - Support the Claroline project - Donate today ! -
Back to top  
Display posts from previous:   
Post new topic   Reply to topic    Claroline Support Forum Index -> Bugs Claroline 1.7.9 (old stable version) All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2007 phpBB Group :: Icons from Tango Project