Claroline Support

[munozferna]

I got across this issue a couple days ago while inspecting language translations, Claroline doesn't validate the user supplied parameter for language, so by ussing something like ./../../../../../../../../../../../etc/passwd%00 it will allow to include files, this can be abussed to read system configuration files, and execute code if users are allowed to upload txt or image files with php code, or injecting PHP code in httpd logs and including them. This bug seems to affect several instalations regardless magic_quotes_gpc settings since claroline uses an internal funcion for disabling it.

url removed I removed the url for more confidentiality (Mathieu Laurent)

Although is kinda obvious, the vulnerable code is on this file:

http://cvs.claroline.net/cgi-bin/viewcv ... iew=markup
- Fernando Muñoz

[marlon]

it´s a problem....

[zefredz]

Hello Fernando,

Thanks a lot for reporting this important issue.

I have reported it on our bug tracker http://jupiter.cerdecam.be/bug/view.php?id=943 and we will correct it in the next few hours and provide a patch.

Regards,

[zefredz]

The bug is fixed, here is the diff : http://cvs.claroline.net/cgi-bin/viewcv ... 2=1.28.2.2

We will provide a patch or release a new version of Claroline as soon as possible.

Regards,

[munozferna]

This may sound kind of selfish, but there is a section on http://cvs.claroline.net/cgi-bin/viewcv ... iew=markup that needs to get updated too :P

- Fernando Muñoz

[zefredz]

Hello Fernando,

Yes, the credits file is completely outdated. Even the core teams at Cerdecam and IPM are no longer correct.

We will update the file as soon as possible and add your name to the security section.

Regards,