Dokeos LMS <= 1.8.5 (tablesort.lib.php) PHP Code Injection Vulnerability

Description:

Dokeos contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is due to user-supplied input passed via the ‘tablename_column’ parameter to the whoisonline.php script is not properly sanitized before being used in a call to the create_function() PHP function in the main/inc/lib/tablesort.lib.php script.

References:

BID-34633
EDB-8499

Disclosure Date:

April 21, 2009