[VIM] Re: question about recent advisory (fwd)
jericho at attrition.org
Sun May 15 00:34:56 EDT 2005
FYI, don't think I originally sent to the list.
---------- Forwarded message ----------
From: Siegfried <siegfri3d at gmail.com>
To: security curmudgeon <jericho at attrition.org>
Date: Fri, 29 Apr 2005 00:16:53 +0200
Reply-To: Siegfried <Siegfried at zone-h.org>
Subject: Re: question about recent advisory
For the 3. yes just multiple variables of these scripts are affected, i didn't
give much details about the 4. to not see the sites using claroline in the
onhold list on zone-h the next day.. :P but for sure i can give you:
i didn't know you were part of osvdb jericho, good job!
----- Original Message ----- From: "security curmudgeon"
<jericho at attrition.org>
To: <siegfried at zone-h.org>
Sent: Thursday, April 28, 2005 9:34 PM
Subject: question about recent advisory
> Hi Siegfried,
> In reference to the advisory on Claroline, can you provide a few more details
> so that I can properly enter these vulnerabilities in the Open Source
> Vulnerability Database (osvdb.org)?
> You state: Multiple Cross site scripting, 10 SQL injection, 7 directory
> traversal and 4 remote file inclusion vulnerabilities have been found in
> 3)Multiple directory traversal vulnerabilities in
> "claroline/document/document.php" and
> "claroline/learnPath/insertMyDoc.php" could allow project administrators
> (teachers) to upload files in arbitrary folders or copy/move/delete (then
> view) files of arbitrary folders by performing directory traversal
> Of the directory traversals, are these the only two scripts affected, and the
> 7 come from different variables? Or are other scripts also affected?
> 4)Four remote file inclusion vulnerabilities have been discovered.
> Can you share which files are affected?
More information about the VIM