Dokeos 'user_portal.php' Local File Include Vulnerability
BID:30150
Info
Dokeos 'user_portal.php' Local File Include Vulnerability
| Bugtraq ID: | 30150 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-3363 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 09 2008 12:00AM |
| Updated: | May 07 2015 05:27PM |
| Credit: | Dokeos |
| Vulnerable: |
Dokeos Dokeos 1.8.5 |
| Not Vulnerable: | |
Discussion
Dokeos 'user_portal.php' Local File Include Vulnerability
Dokeos is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view local files or execute arbitrary local scripts on the vulnerable computer in the context of the webserver process.
Please note that this issue affects only Dokeos running on Windows.
Dokeos 1.8.5 is vulnerable; other versions may also be affected.
Dokeos is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view local files or execute arbitrary local scripts on the vulnerable computer in the context of the webserver process.
Please note that this issue affects only Dokeos running on Windows.
Dokeos 1.8.5 is vulnerable; other versions may also be affected.
Exploit / POC
Dokeos 'user_portal.php' Local File Include Vulnerability
Attackers may exploit this vulnerability via a browser.
The following example URI is available:
http://www.example.com/[installdir]/user_portal.php?include=..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00.ht
The following exploit code is available:
Attackers may exploit this vulnerability via a browser.
The following example URI is available:
http://www.example.com/[installdir]/user_portal.php?include=..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00.ht
The following exploit code is available:
Solution / Fix
Dokeos 'user_portal.php' Local File Include Vulnerability
Solution:
The vendor provided the following solution for this issue:
Fixing this issue can be done by replacing line 770 of /user_portal.php by:
if (!empty ($_GET['include']) && preg_match('/^[a-zA-Z0-9_-]*\.html$/',$_GET['include']))
Please see the references for more information.
Solution:
The vendor provided the following solution for this issue:
Fixing this issue can be done by replacing line 770 of /user_portal.php by:
if (!empty ($_GET['include']) && preg_match('/^[a-zA-Z0-9_-]*\.html$/',$_GET['include']))
Please see the references for more information.
References
Dokeos 'user_portal.php' Local File Include Vulnerability
References:
References:
- Dokeos Homepage (Dokeos)
- [DSECRG-08-029] Local File Include in Dokeos E-Learning (Digital Security Research Group
- Security Dokeos 1.8.5 (Dokeos)