| VID |
21981 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Dokeos is vulnerable to multiple remote file include vulnerabilities which exist in versions prior to 1.6.4 or 2.0.3. Dokeos is a learning management system. Dokeos versions 1.6.3 and earlier and Dokeos Community Release 2.0.2 and earlier are vulnerable to multiple remote file include vulnerabilities, caused by improper validation of user-supplied input passed to the 'rootSys' parameter in the 'claroline/exercice/testheaderpage.php' script and the 'clarolineRepositorySys' parameter in the 'claroline/resourcelinker/resourcelinker.inc.php' script. If PHP's 'register_globals' setting is enabled, a remote attacker could send a specially-crafted URL request to execute arbitrary PHP code and operating system commands on the affected host.
* References:
http://www.dokeos.com/forum/viewtopic.php?t=6848
http://www.dokeos.com/wiki/index.php/Security#April_5th.2C_2006
http://www.frsirt.com/english/advisories/2006/1303
http://secunia.com/advisories/19576/
* Platforms Affected:
Dokeos version 1.6.3 and earlier versions
Dokeos version 2.0.2 and earlier versions
Any operating system Any versions |
| Recommendation |
Upgrade to the latest version of Dokeos (1.6.4 or later) or Dokeos Community Release (2.0.3 or later) available from the Dokeos Learning Management System Web site at http://www.dokeos.com/download.php |
| Related URL |
CVE-2006-2286 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
25740 (ISS) |
|
