exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Chamilo 1.8.7 / Dokeos 1.8.6 File Disclosure

Chamilo 1.8.7 / Dokeos 1.8.6 File Disclosure
Posted Feb 5, 2011
Authored by beford

Chamilo version 1.8.7 and Dokeos version 1.8.6 suffer from a remote file disclosure vulnerability.

tags | exploit, remote, info disclosure
SHA-256 | 6ddbeee8008062c9b6a9a1e4659d50e5fb1431010d69c97d882f51407dc1cf01

Chamilo 1.8.7 / Dokeos 1.8.6 File Disclosure

Change Mirror Download
# Title: Chamilo 1.8.7 / Dokeos 1.8.6 Remote File Disclosure
# Date: 2011/01/31
# Author: beford
# Software Link: http://www.dokeos.com/download/dokeos-1.8.6.1.zip
# http://chamilo.googlecode.com/files/chamilo-1.8.7.1-stable.tar.gz


Affected products
=================
Dokeos 1.8.6.1 / 2.0
Chamilo 1.8.7.1


Resume
======
Two file disclosure flaws exists on these LMS platforms, which could
allow an attacker registered on the system to obtain files from the
server, i.e your database configuration file, or any other file
readeable by the webserver.

Details
=======
1) The user input to the $_GET['file'] variable was not been cleaned
at all, and used to open a file and send it to the browser of the
user, it only required to be registered and subscribed to a course:

POC:

http://lmscampus.tld/main/gradebook/open_document.php?file=../main/inc/conf/configuration.php


2) The user input on $_GET['doc_url'] was been checked for transversal
path injection attempts, however the filter is wrongly implemented,
and can be bypassed. Also other functions that should prevent this
behavior were not working properly.

When passing "..././" to the filter it replaces "../" first with "", that
leaves me with "../" which allows me to bypass it completly.


http://lmscampus.tld/main/document/download.php?doc_url=/..././..././..././main/inc/conf/configuration.php


Vendor notified: Jan 29/31, 2011
Vendor response Dokeos: none
Vendor response Chamilo: Patches developed and new version expected
around Feb 15

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close