what you don't know can hurt you

moodle142.txt

moodle142.txt
Posted Jan 2, 2005
Authored by Bartek Nowotarski

Moodle versions 1.4.2 and below suffer from cross site scripting and file inclusion vulnerabilities.

tags | exploit, vulnerability, xss, file inclusion
MD5 | b9eca4daf115cfb19a91e59348bc0731

moodle142.txt

Change Mirror Download


+------------------------------------------------------------------------------+
| |
| Multiple Vulnerabilities in Moodle |
| ================================== |
| |
| Author: Bartek Nowotarski |
| Published: 2004-12-27 |
+------------------------------------------------------------------------------+


[01] General information
~~~~~~~~~~~~~~~~~~~~~~~~

] Document author: Bartek Nowotarski (silence) [
] Location: Trzebinia, Poland [
] E-mail: silence10 wp pl [
] Site: silence 0 pl [

] Application: Moodle [
] Versions vulnerable: <= 1.4.2 [


[02] Introduction
~~~~~~~~~~~~~~~~~

`Moodle is a course management system (CMS) - a software package designed to
help educators create quality online courses. Such e-learning systems are
sometimes also called Learning Management Systems (LMS) or Virtual Learning
Environments (VLE).` /www.moodle.org
It has over 1000 *register* sites in 75 countries.

Project home site: http://www.moodle.org


[03] Vulnerabilities
~~~~~~~~~~~~~~~~~~~~

Two vulnerabilities have been found in Moodle CMS:

a) ] Type: Cross Site Scripting [
] File: /mod/forum/view.php [

] Description: [

It is a well-known fact that all user-dependant variables should be
checked for inaccurate values. The variable $search in view.php is
not.

54> $buttontext = forum_print_search_form($course, $search, true,
> "plain");

] Proof of concept: [

The following request will alert values of logged user cookies:

> http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E
> %3Cscript%3Ealert(document.cookie)%3C/script%3E

Where id variable should be existing course ID.

b) ] Type: Session File Disclosure [
] File: file.php [

] Description: [

All files containing session data are saved in `moodledata` dir, which
should be invisible from web. But it is possible to gain access to them:

45> $pathname = "$CFG->dataroot$pathinfo";

$pathinfo is checked by function detect_munged_arguments() and allows
one use of `..` to skip to parent directory. We can use it to skip to
`moodledata` folder itself and then read files form `sess`.
To obtain session ID we can use cross site scripting vulnerability.

] Proof od concept: [

The following request will disclosure session file:

> http://localhost/moodle/file.php?file=/1/../sessions/
> sess_6ac3b47ee23c6aa55896f4cd68af9622

Where:
- `1` after "?file=/" is existing course ID,
- `6ac3b47ee23c6aa55896f4cd68af9622` is session ID


[04] Solution
~~~~~~~~~~~~~

Session File Disclosure vulnerability is patched in version 1.4.3.
Cross Site Scripting vulnerability will be patched probably in
version 1.5.


[05] Timeline
~~~~~~~~~~~~~

] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered
] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered
] 2004-12-13 [ Vendor informed
] 2004-12-14 [ Session File Disclosure vulnerability (b) patched
] 2004-12-27 [ Advisory published


[06] Credits
~~~~~~~~~~~~

Vulnerabilities discovered by Bartek Nowotarski.


--EOF--

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close