[原文]Multiple directory traversal vulnerabilities in (1) document.php or (2) insertMyDoc.php in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote project administrators to upload arbitrary files.
Claroline contains a flaw that allows a remote attacker to upload or manipulate files or directories outside of the web path. The issue is due to the document.php not properly sanitizing user input, specifically traversal style attacks (../../).
Upgrade to version 1.5.4, 1.6 final or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.