#############

Description

#############

Vendor: http://www.claroline.net

The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable

clarolineRepositorySys in a include() function without being declared.

There are other files vulnerable in the same folder, this exploit only

attacks ldap.inc.php

There is other vulnerable file claroline/auth/extauth/casProcess.inc.php

it uses the claro_CasLibPath in a include function but this is not being

declared either, so pwnt, RFI. Vendor was contacted through email,

no response, so i just posted this here and on its forum.

############

Vulnerable code (lda.inc.php)

############

return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php';

############

Vulnerable code (casProcess.inc.php)

############
#if ( ! isset($_SESSION['init_CasCheckinDone'] )

|| $logout

|| ( basename($_SERVER['SCRIPT_NAME']) == 'login.php' &&

isset($_REQUEST['authModeReq']) && $_REQUEST['authModeReq'] == 'CAS' )

|| isset($_REQUEST['fromCasServer']) )

#{

include_once $claro_CasLibPath;

############

Check www.milw0rm.com for the exploit code.

############

Greets

][GB][ Zetha Wlion desKrriado uyx ASC

############