+------------------------------------------------------------------------------+ | | | Multiple Vulnerabilities in Moodle | | ================================== | | | | Author: Bartek Nowotarski | | Published: 2004-12-27 | +------------------------------------------------------------------------------+ [01] General information ~~~~~~~~~~~~~~~~~~~~~~~~ ] Document author: Bartek Nowotarski (silence) [ ] Location: Trzebinia, Poland [ ] E-mail: silence10 wp pl [ ] Site: silence 0 pl [ ] Application: Moodle [ ] Versions vulnerable: <= 1.4.2 [ [02] Introduction ~~~~~~~~~~~~~~~~~ `Moodle is a course management system (CMS) - a software package designed to help educators create quality online courses. Such e-learning systems are sometimes also called Learning Management Systems (LMS) or Virtual Learning Environments (VLE).` /www.moodle.org It has over 1000 *register* sites in 75 countries. Project home site: http://www.moodle.org [03] Vulnerabilities ~~~~~~~~~~~~~~~~~~~~ Two vulnerabilities have been found in Moodle CMS: a) ] Type: Cross Site Scripting [ ] File: /mod/forum/view.php [ ] Description: [ It is a well-known fact that all user-dependant variables should be checked for inaccurate values. The variable $search in view.php is not. 54> $buttontext = forum_print_search_form($course, $search, true, > "plain"); ] Proof of concept: [ The following request will alert values of logged user cookies: > http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E > %3Cscript%3Ealert(document.cookie)%3C/script%3E Where id variable should be existing course ID. b) ] Type: Session File Disclosure [ ] File: file.php [ ] Description: [ All files containing session data are saved in `moodledata` dir, which should be invisible from web. But it is possible to gain access to them: 45> $pathname = "$CFG->dataroot$pathinfo"; $pathinfo is checked by function detect_munged_arguments() and allows one use of `..` to skip to parent directory. We can use it to skip to `moodledata` folder itself and then read files form `sess`. To obtain session ID we can use cross site scripting vulnerability. ] Proof od concept: [ The following request will disclosure session file: > http://localhost/moodle/file.php?file=/1/../sessions/ > sess_6ac3b47ee23c6aa55896f4cd68af9622 Where: - `1` after "?file=/" is existing course ID, - `6ac3b47ee23c6aa55896f4cd68af9622` is session ID [04] Solution ~~~~~~~~~~~~~ Session File Disclosure vulnerability is patched in version 1.4.3. Cross Site Scripting vulnerability will be patched probably in version 1.5. [05] Timeline ~~~~~~~~~~~~~ ] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered ] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered ] 2004-12-13 [ Vendor informed ] 2004-12-14 [ Session File Disclosure vulnerability (b) patched ] 2004-12-27 [ Advisory published [06] Credits ~~~~~~~~~~~~ Vulnerabilities discovered by Bartek Nowotarski. --EOF--