BugTraq
Multiple Vulnerabilities in Moodle Dec 27 2004 07:45PM
Bartek Nowotarski (silence10 wp pl)


+-----------------------------------------------------------------------
-------+

| |

| Multiple Vulnerabilities in Moodle |

| ================================== |

| |

| Author: Bartek Nowotarski |

| Published: 2004-12-27 |

+-----------------------------------------------------------------------
-------+

[01] General information

~~~~~~~~~~~~~~~~~~~~~~~~

] Document author: Bartek Nowotarski (silence) [

] Location: Trzebinia, Poland [

] E-mail: silence10 wp pl [

] Site: silence 0 pl [

] Application: Moodle [

] Versions vulnerable: <= 1.4.2 [

[02] Introduction

~~~~~~~~~~~~~~~~~

`Moodle is a course management system (CMS) - a software package designed to

help educators create quality online courses. Such e-learning systems are

sometimes also called Learning Management Systems (LMS) or Virtual Learning

Environments (VLE).` /www.moodle.org

It has over 1000 *register* sites in 75 countries.

Project home site: http://www.moodle.org

[03] Vulnerabilities

~~~~~~~~~~~~~~~~~~~~

Two vulnerabilities have been found in Moodle CMS:

a) ] Type: Cross Site Scripting [

] File: /mod/forum/view.php [

] Description: [

It is a well-known fact that all user-dependant variables should be

checked for inaccurate values. The variable $search in view.php is

not.

54> $buttontext = forum_print_search_form($course, $search, true,

> "plain");

] Proof of concept: [

The following request will alert values of logged user cookies:

> http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E

> %3Cscript%3Ealert(document.cookie)%3C/script%3E

Where id variable should be existing course ID.

b) ] Type: Session File Disclosure [

] File: file.php [

] Description: [

All files containing session data are saved in `moodledata` dir, which

should be invisible from web. But it is possible to gain access to them:

45> $pathname = "$CFG->dataroot$pathinfo";

$pathinfo is checked by function detect_munged_arguments() and allows

one use of `..` to skip to parent directory. We can use it to skip to

`moodledata` folder itself and then read files form `sess`.

To obtain session ID we can use cross site scripting vulnerability.

] Proof od concept: [

The following request will disclosure session file:

> http://localhost/moodle/file.php?file=/1/../sessions/

> sess_6ac3b47ee23c6aa55896f4cd68af9622

Where:

- `1` after "?file=/" is existing course ID,

- `6ac3b47ee23c6aa55896f4cd68af9622` is session ID

[04] Solution

~~~~~~~~~~~~~

Session File Disclosure vulnerability is patched in version 1.4.3.

Cross Site Scripting vulnerability will be patched probably in

version 1.5.

[05] Timeline

~~~~~~~~~~~~~

] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered

] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered

] 2004-12-13 [ Vendor informed

] 2004-12-14 [ Session File Disclosure vulnerability (b) patched

] 2004-12-27 [ Advisory published

[06] Credits

~~~~~~~~~~~~

Vulnerabilities discovered by Bartek Nowotarski.

--EOF--

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus