Claroline Add_Course.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	12449
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 04 2005 12:00AM
Updated:	Feb 04 2005 12:00AM
Credit:	Discovery of this vulnerability is credited to Yiannis Girod.
Vulnerable:	Claroline Claroline 1.5.3 Claroline Claroline 1.5
Not Vulnerable:

Claroline Add_Course.PHP Cross-Site Scripting Vulnerability

Reportedly Claroline is affected by a cross-site scripting vulnerability in the 'add_course.php' script. This issue is due to a failure of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

Claroline Add_Course.PHP Cross-Site Scripting Vulnerability

No exploit is required.

Claroline Add_Course.PHP Cross-Site Scripting Vulnerability

Solution:
The vendor has released a patch to address this vulnerability:


Claroline Claroline 1.5.3

• Claroline claroline153fix01.zip
  http://www.claroline.net/dlarea/claroline153fix01.zip

Claroline Add_Course.PHP Cross-Site Scripting Vulnerability

References:

• Claroline Homepage (Claroline)