Docebo contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to multiple scripts not properly sanitizing user input supplied to multiple variables. This may allow an attacker to overwrite global variables to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

The flawed scripts are reported to include lib.permission.php, lib.pagewriter.php, lib.lang.php, lib.template.php, lib.mimetype.php, lib.simplesel.php, lib.filelist.php, tree.documents.php, lib.repo.php, lib.php, lib.teleskill.php.

The variables which can be exploited are reported to include where_framework, where_scs, where_cms, where_lms, where_upgrade, BBC_LIB_PATH, and BBC_LANGUAGE_PATH.

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

• Milw0rm: 1817
• Exploit Database: 1817
• CVE ID: 2006-2576 (see also: NVD) 2006-2577 (see also: NVD)
• Secunia Advisory ID: 20260
• ISS X-Force ID: 26633
• Generic Exploit URL: http://www.devilteam.yum.pl/dtexpl/Docebo%203.0.3%20-%20Remote%20File%20Include.html
• Vendor URL: http://www.docebocms.org/

• Kacper - kacper1964yahoo.pl - DEVIL TEAM