CVE-2006-2286

Name of the Vulnerable Software and Affected Versions Dokeos versions 1.6.3 and earlier Dokeos community release version 2.0.3

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in several parameters, including rootSys and clarolineRepositorySys, and possibly lang path, extAuthSource, thisAuthSource, main configuration file path, phpDigIncCn, and drs to specific API endpoints, such as "testheaderpage.php" and "resourcelinker.inc.php".

Recommendations For Dokeos versions 1.6.3 and earlier, consider disabling the clarolineRepositorySys and rootSys parameters in the affected API endpoints until a patch is available. For Dokeos community release version 2.0.3, restrict access to the parameters lang path, extAuthSource, thisAuthSource, main configuration file path, phpDigIncCn, and drs in the "testheaderpage.php" and "resourcelinker.inc.php" endpoints to minimize the risk of exploitation.