This exploit targets a Local File Inclusion (LFI) vulnerability in Dokeos LMS <= 1.8.5, allowing an attacker to upload a malicious HTML file via the FCKeditor upload functionality and then include it to achieve Remote Code Execution (RCE). The exploit uses a combination of file upload and path traversal techniques to bypass input sanitization.
Classification
Working Poc 95%
Target:
Dokeos LMS <= 1.8.5
Auth required
Prerequisites:
Valid credentials for Dokeos LMS · FCKeditor upload functionality enabled · Windows-based target system (due to path traversal using backslashes)