Info

Disclosure

May 21, 2006

Discovery

Unknown

Dates

Exploit

May 21, 2006

Solution

Unknown

Description

Docebo contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to multiple scripts not properly sanitizing user input supplied to multiple variables. This may allow an attacker to overwrite global variables to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Docebo SRL

Docebo

3.0.3

References

Milw0rm: 1817
Exploit Database: 1817
CVE ID: 2006-2576 (see also: NVD) 2006-2577 (see also: NVD)
Secunia Advisory ID: 20260
ISS X-Force ID: 26633
Generic Exploit URL: http://www.devilteam.yum.pl/dtexpl/Docebo%203.0.3%20-%20Remote%20File%20Include.html
Vendor URL: http://www.docebocms.org/

Credit

Kacper - kacper1964yahoo.pl - DEVIL TEAM

Direct URL: http://osvdb.org/25757