Multiple Vulnerabilities in Moodle
+------------------------------------------------------------------------------+
| |
| Multiple Vulnerabilities in Moodle |
| ================================== |
| |
| Author: Bartek Nowotarski |
| Published: 2004-12-27 |
+------------------------------------------------------------------------------+
[01] General information
~~~~~~~~~~~~~~~~~~~~~~~~
] Document author: Bartek Nowotarski (silence) [
] Location: Trzebinia, Poland [
] E-mail: silence10 wp pl [
] Site: silence 0 pl [
] Application: Moodle [
] Versions vulnerable: <= 1.4.2 [
[02] Introduction
~~~~~~~~~~~~~~~~~
`Moodle is a course management system (CMS) - a software package designed to
help educators create quality online courses. Such e-learning systems are
sometimes also called Learning Management Systems (LMS) or Virtual Learning
Environments (VLE).` /www.moodle.org
It has over 1000 *register* sites in 75 countries.
Project home site: http://www.moodle.org
[03] Vulnerabilities
~~~~~~~~~~~~~~~~~~~~
Two vulnerabilities have been found in Moodle CMS:
a) ] Type: Cross Site Scripting [
] File: /mod/forum/view.php [
] Description: [
It is a well-known fact that all user-dependant variables should be
checked for inaccurate values. The variable $search in view.php is
not.
54> $buttontext = forum_print_search_form($course, $search, true,
> "plain");
] Proof of concept: [
The following request will alert values of logged user cookies:
> http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E
> %3Cscript%3Ealert(document.cookie)%3C/script%3E
Where id variable should be existing course ID.
b) ] Type: Session File Disclosure [
] File: file.php [
] Description: [
All files containing session data are saved in `moodledata` dir, which
should be invisible from web. But it is possible to gain access to them:
45> $pathname = "$CFG->dataroot$pathinfo";
$pathinfo is checked by function detect_munged_arguments() and allows
one use of `..` to skip to parent directory. We can use it to skip to
`moodledata` folder itself and then read files form `sess`.
To obtain session ID we can use cross site scripting vulnerability.
] Proof od concept: [
The following request will disclosure session file:
> http://localhost/moodle/file.php?file=/1/../sessions/
> sess_6ac3b47ee23c6aa55896f4cd68af9622
Where:
- `1` after "?file=/" is existing course ID,
- `6ac3b47ee23c6aa55896f4cd68af9622` is session ID
[04] Solution
~~~~~~~~~~~~~
Session File Disclosure vulnerability is patched in version 1.4.3.
Cross Site Scripting vulnerability will be patched probably in
version 1.5.
[05] Timeline
~~~~~~~~~~~~~
] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered
] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered
] 2004-12-13 [ Vendor informed
] 2004-12-14 [ Session File Disclosure vulnerability (b) patched
] 2004-12-27 [ Advisory published
[06] Credits
~~~~~~~~~~~~
Vulnerabilities discovered by Bartek Nowotarski.
--EOF--