CVE-2008-0850 in Dokeos
Summary
by MITRE
Multiple SQL injection vulnerabilities in Dokeos 1.8.4 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to whoisonline.php, (2) tracking_list_coaches_column parameter to main/mySpace/index.php, (3) tutor_name parameter to main/create_course/add_course.php, the (4) Referer HTTP header to index.php, and the (5) X-Fowarded-For HTTP header to main/admin/class_list.php.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/29/2025
The vulnerability identified as CVE-2008-0850 represents a critical security flaw in Dokeos 1.8.4 learning management system, exposing multiple pathways for remote attackers to execute arbitrary SQL commands through carefully crafted input vectors. This vulnerability classifies under CWE-89 SQL Injection, which is a fundamental weakness in web applications that allows malicious actors to manipulate database queries by inserting malicious SQL code into input fields. The affected Dokeos platform, widely used in educational institutions for online learning management, becomes susceptible to unauthorized data access, modification, and potential system compromise through these injection points.
The technical exploitation occurs through five distinct parameters across different application modules, each representing a separate attack surface. The first vector involves the id parameter in whoisonline.php, where unfiltered user input allows attackers to manipulate session tracking queries. The second vulnerability exists in main/mySpace/index.php through the tracking_list_coaches_column parameter, enabling attackers to inject malicious SQL into coach listing queries. The third attack vector targets main/create_course/add_course.php via the tutor_name parameter, where course creation processes fail to properly sanitize user-provided tutor names. The fourth and fifth vectors utilize HTTP headers - Referer in index.php and X-Forwarded-For in main/admin/class_list.php - demonstrating how HTTP header manipulation can bypass traditional input validation mechanisms.
These vulnerabilities create significant operational impacts that extend beyond simple data theft. Attackers can leverage SQL injection to extract sensitive user information including student records, course materials, and administrative credentials. The compromise of these systems poses severe risks to educational institutions, potentially leading to data breaches, unauthorized access to confidential academic information, and disruption of learning management services. The attack surface spans multiple functional areas of the platform, from user tracking to course creation and administrative functions, amplifying the potential damage. According to ATT&CK framework, this vulnerability maps to T1190 Exploit Public-Facing Application and T1071.004 Application Layer Protocol HTTP, demonstrating how attackers can exploit web application weaknesses to gain deeper system access.
Mitigation strategies should focus on implementing comprehensive input validation and parameterized queries throughout the application codebase. The most effective approach involves adopting prepared statements and parameterized queries to prevent SQL injection, while also implementing proper input sanitization for all user-supplied data. Organizations should also implement web application firewalls to detect and block suspicious SQL injection patterns, and establish regular security auditing processes to identify similar vulnerabilities in other application components. Additionally, the use of least privilege principles and database access controls can limit the potential damage from successful exploitation attempts, ensuring that even if injection occurs, attackers cannot access sensitive system resources or perform administrative functions.