qcred11
Jul 2 2004, 03:01 PM
| QUOTE |
Summary: The Miller Group, Inc. [www.miller-group.net] announces the release
of Centre, a free student information system for public and non-public
schools. Centre is a web-based, open source, student management product with
features that include scheduling, grade book, attendance, eligibility,
transcripts, and more. And, of course, student and employee information
screens are critical components of Centre.
Version: 1.0
Exploit: Centre does not check that a user is logged in and has sufficient
permissions to perform admin tasks. An example of this can be seen when
attempting to create a new account:
http://demo.miller-group.net/index.php?mod...in&staff_id=new
However this problem exists at almost every level within the software. There
are also poor checks carried out when passing user data which could lead to
SQL injection problems. There is a more serious problem within modules.php,
there is *no checking on the path of the module and could lead to PHP
injection.
Modules.php?modname=../../../MyCode/Stuff.php
Fix: Disable centre until an update is released (the problems are too
extensive).
|
link is unavailable
Sent by mailing list
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
