CVE-2008-0850

Name of the Vulnerable Software and Affected Versions Dokeos version 1.8.4

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved through various parameters and HTTP headers, including the id parameter to "whoisonline.php", tracking list coaches column parameter to "main/mySpace/index.php", tutor name parameter to "main/create course/add course.php", the Referer HTTP header to "index.php", and the X-Fowarded-For HTTP header to "main/admin/class list.php".

Recommendations For Dokeos version 1.8.4, consider disabling the parameters id, tracking list coaches column, and tutor name in their respective scripts until a patch is available. Restrict access to the "whoisonline.php", "main/mySpace/index.php", and "main/create course/add course.php" scripts to minimize the risk of exploitation. Avoid using the Referer and X-Fowarded-For HTTP headers in the "index.php" and "main/admin/class list.php" scripts, respectively, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.