View previous topic :: View next topic |
Author |
Message |
beford
Joined: 08 May 2006 Posts: 1
|
Posted: Mon May 08, 2006 6:57 am Post subject: Security Issue |
|
|
PATCH AIVAILABLE
Read the news
http://www.claroline.net/news.php
I've triend mailing info@claroline.net but i didnt get a response so i'll send a pm to the admin of the forums, just to recommend the use of safe mode in php, and/or disable URL access for includes in php.
Edit: oh, private messages have been disabled, sucks, i'll have to disclose the bug here. There are several files in the claroline/auth/extauth/ folder that are vulnerable to remote file includes,
claroline/auth/extauth/drivers/ldap.inc.php?clarolineRepositorySys=
claroline/auth/extauth/casProcess.inc.php?claro_CasLibPath=
This would allow remote command execution in current claroline version. |
|
Back to top |
|
|
Hugues Contributeurs Actif Forum
Joined: 16 Apr 2002 Posts: 2010 Location: Belgium
|
Posted: Mon May 08, 2006 10:36 am Post subject: |
|
|
The security hole only affects PHP system configured with register_globals set to on (this parameters is to off by default in PHP distributions since PHP 4.2). A patch fixing the security hole will be rapidly available. Our development team is famous for reacting fast in that kind of circumstances. You can count on us ! While waiting, if you're on Claroline 1.7, we suggest to set your system to register_globals = off. This is safer for your system. _________________ Life is too short : use Claroline ! |
|
Back to top |
|
|
mathieu Contributeurs Actif Forum
Joined: 09 Apr 2004 Posts: 4335 Location: Belgium, Bruxelles, Soignies
|
Posted: Mon May 08, 2006 10:50 am Post subject: |
|
|
We have fixed the holes in the 1.6, 1.7 and main branch of the claroline cvs.
News, patches and releases will be on line today.
While waiting, you can fix these scripts :
in claroline/auth/extauth/drivers/*.inc.php
replace this line :
Code: | return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php'; |
by :
Code: | return require dirname(__FILE__).'/../extAuthProcess.inc.php'; |
claroline/auth/extauth/casProcess.inc.php
add this line :
Code: | if ((bool) stristr($_SERVER['PHP_SELF'], basename(__FILE__))) die();
|
There is also a dedicated page on the security here : http://www.claroline.net/wiki/index.php/Security
For more security, claroline 1.7 can work with :
Code: | register_globals off
allow_url_fopen off |
Regards
Mathieu _________________ Mathieu Laurent - Support the Claroline project - Donate today ! - |
|
Back to top |
|
|
mathieu Contributeurs Actif Forum
Joined: 09 Apr 2004 Posts: 4335 Location: Belgium, Bruxelles, Soignies
|
Posted: Wed May 10, 2006 10:54 am Post subject: |
|
|
Patch available on the website :
Quote: | Claroline Security Alerts
Several security holes have just been detected in Claroline 1.7.* and 1.6.*
Platform Claroline 1.7.* running PHP in register_globals off or allow_url_fopen off are not vulnerable.
We seriously advise all people using Claroline 1.6 or php with register_globals configuration enabled to patch their platform as soon as possible.
More advices on the security of your claroline platform are here.
Download the patches at these addresses :
* Claroline 1.7 : http://www.claroline.net/dlarea/claroline.patch17501.zip
* Claroline 1.6 : http://www.claroline.net/dlarea/claroline.patch16401.zip
How to apply the patch
* Uncompress the zip archive file 'claroline.patch1**01.zip'.
* Copy the 'claroline' directory found inside that archive on the 'claroline' directory already available on your web server. |
Mathieu _________________ Mathieu Laurent - Support the Claroline project - Donate today ! - |
|
Back to top |
|
|
marina Contributeurs Actif Forum
Joined: 23 Aug 2005 Posts: 65
|
Posted: Wed May 10, 2006 1:04 pm Post subject: file auth.conf.php in patch |
|
|
Hello,
We're currently applying the patches you gave on your website. It seems that you put the file auth.conf.php instead of auth.conf.php.dist, so people are going to override their authentication settings !
Best regards
Marina |
|
Back to top |
|
|
mathieu Contributeurs Actif Forum
Joined: 09 Apr 2004 Posts: 4335 Location: Belgium, Bruxelles, Soignies
|
|
Back to top |
|
|
mathieu Contributeurs Actif Forum
Joined: 09 Apr 2004 Posts: 4335 Location: Belgium, Bruxelles, Soignies
|
|
Back to top |
|
|
|