|
|
Family: CGI abuses --> Category: attack
Claroline < 1.5.4 / 1.6.0 Multiple Input Validation Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for multiple input validation vulnerabilities in Claroline < 1.5.4 / 1.6.0
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP application that is prone to a
variety of attacks.
Description :
The version of Claroline (an open source, collaborative learning
environment) installed on the remote host suffers from a number of
remotely-exploitable vulnerabilities, including:
- Multiple Remote File Include Vulnerabilities
Four scripts let a possible hacker read arbitrary files on the
remote host and possibly even run arbitrary PHP code,
subject to the rights of the web server user.
- Multiple SQL Injection Vulnerabilities
Seven scripts let a possible hacker inject arbitrary input
into SQL statements, potentially revealing sensitive
data or altering them.
- Multiple Cross-Site Scripting Vulnerabilities
A possible hacker can pass arbitrary HTML and script code
through any of 10 flawed scripts and potentially have
that code executed by a user's browser in the context
of the affected web site.
- Multiple Directory Traversal Vulnerabilities
By exploiting flaws in 'claroline/document/document.php'
and 'claroline/learnPath/insertMyDoc.php', project leaders
(teachers) are able to upload files to arbitrary folders
or copy/move/delete (then view) files of arbitrary folders.
See also :
http://www.zone-h.org/advisories/read/id=7472
Solution :
Upgrade to Claroline version 1.5.4 / 1.6.0 or later.
Threat Level:
High / CVSS Base Score : 7
(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
