PT-2006-3252 · Dokeos · Dokeos

Published

2006-05-09

Updated

2017-07-20

CVE-2006-2286

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Dokeos versions 1.6.3 and earlier Dokeos community release version 2.0.3

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in several parameters, including rootSys and clarolineRepositorySys, and possibly lang path, extAuthSource, thisAuthSource, main configuration file path, phpDigIncCn, and drs to specific API endpoints, such as "testheaderpage.php" and "resourcelinker.inc.php".

Recommendations For Dokeos versions 1.6.3 and earlier, consider disabling the clarolineRepositorySys and rootSys parameters in the affected API endpoints until a patch is available. For Dokeos community release version 2.0.3, restrict access to the parameters lang path, extAuthSource, thisAuthSource, main configuration file path, phpDigIncCn, and drs in the "testheaderpage.php" and "resourcelinker.inc.php" endpoints to minimize the risk of exploitation.

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2006-2286

Affected Products

Dokeos

PT-2006-3252 · Dokeos · Dokeos

CVE-2006-2286

Weakness Enumeration

Related Identifiers

Affected Products

References · 7