CVE-2005-2598

Name of the Vulnerable Software and Affected Versions Dokeos versions 1.6 and earlier Claroline (affected versions not specified)

Description The issue allows remote attackers to perform various malicious actions, including deleting arbitrary files or directories via the delete parameter to "claroline/scorm/scormdocument.php", moving arbitrary files via the move to and move file parameters to "claroline/document/document.php", or determining the existence of arbitrary files via the file parameter to "claroline/scorm/showinframes.php" or "claroline/scorm/contents.php".

Recommendations For Dokeos versions 1.6 and earlier, consider disabling access to the affected API endpoints until a patch is available. Restrict access to the delete parameter in "claroline/scorm/scormdocument.php" to prevent arbitrary file deletion. Avoid using the move to and move file parameters in "claroline/document/document.php" to prevent arbitrary file movement. Limit access to the file parameter in "claroline/scorm/showinframes.php" and "claroline/scorm/contents.php" to prevent determining the existence of arbitrary files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.