=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN184
_____________________________________________________________________

DATE                      : 15/05/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Dokeos 1.8.5.

======================================================================
http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8
______________________________________________________________________

  Dokeos 1.8

    * 2009-05-12: A new set of security issues, considered as HIGH
potential damage, has been detected in Dokeos, including XSS, SQL
injection and directory traversal vulnerabilities. These affect version
1.8.5 and possibly previous versions of Dokeos. Part of the flaws were
reported by Russ McRee to Secunia and another part by Gerendi Sandor Attila.

The attached patch applies to Dokeos 1.8.5. Please download it an unzip it
inside your Dokeos 1.8.5 root directory to cover the existing flaws. A patch
(-Naur) file is also included, which could be applied by using the patch command
(if you feel comfortable with it). This is a cumulative patch that covers all
vulnerabilities detected in 1.8.5 to date, including the ones below.

Download the patch here.

The recent increase in vulnerability reports lead us to train ourselves better
internally in order to ensure a better protection for all of you in Dokeos 1.8.6.
One of the steps taken was to replace the kses library by the HTML Purifier library
in the core of Dokeos, in order to filter better XSS attacks and SQL injections.
We recommend you move to Dokeos 1.8.6 stable as soon as it is available.

After applying the patch, please make sure that the file
main/inc/lib/xajax/tests/changeLister.php doesn't exist or is empty, as this
has been used as a backdoor and is *NOT NECESSARY* by Dokeos.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================