Dokeos 2.2 RC2 SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Dokeos e-learning Dokeos <= 2.2 RC2
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2013-6341

Dokeos is an open-source online education and curriculum management system.

Dokeos 2.2 RC2 and earlier versions are not correctly verified "/index. php "" language "http get parameter value. unauthenticated remote attackers can exploit this vulnerability to execute arbitrary SQL commands in the application database.

<* Source: vendor

Link: http://www.securityfocus.com/archive/1/530035
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http: // [host]/index. php? Language = 0% 27% 20 UNION % 20 SELECT %, version
% 28% 202, % 20 -- %

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Dokeos e-learning
-----------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.dokeos.com/

Unofficial patch:
Https://www.htbridge.com/advisory/HTB23181-patch.zip