#############
Description
#############
The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable
clarolineRepositorySys in a include() function without being declared.
There are other files vulnerable in the same folder, this exploit only
attacks ldap.inc.php
There is other vulnerable file claroline/auth/extauth/casProcess.inc.php
it uses the claro_CasLibPath in a include function but this is not being
declared either, so pwnt, RFI. Vendor was contacted through email,
no response, so i just posted this here and on its forum.
############
Vulnerable code (lda.inc.php)
############
return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php';
############
Vulnerable code (casProcess.inc.php)
############
#if ( ! isset($_SESSION['init_CasCheckinDone'] )
|| $logout
|| ( basename($_SERVER['SCRIPT_NAME']) == 'login.php' &&
isset($_REQUEST['authModeReq']) && $_REQUEST['authModeReq'] == 'CAS' )
|| isset($_REQUEST['fromCasServer']) )
#{
include_once $claro_CasLibPath;
############
############
Greets
][GB][ Zetha Wlion desKrriado uyx ASC
############