Dokeos LMS <= 1.8.5 (tablesort.lib.php) PHP Code Injection Vulnerability


Dokeos contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is due to user-supplied input passed via the ‘tablename_column’ parameter to the whoisonline.php script is not properly sanitized before being used in a call to the create_function() PHP function in the main/inc/lib/tablesort.lib.php script.


Disclosure Date:

April 21, 2009