Multiple Vulnerabilities in Moodle

[Bartek Nowotarski <silence10@xxxxx>]

+------------------------------------------------------------------------------+
|                                                                              |
|               Multiple Vulnerabilities in Moodle                             |
|               ==================================                             |
|                                                                              |
|                                                 Author:    Bartek Nowotarski |
|                                                 Published:        2004-12-27 |
+------------------------------------------------------------------------------+


[01] General information
~~~~~~~~~~~~~~~~~~~~~~~~

  ] Document author:       Bartek Nowotarski (silence)  [
  ] Location:              Trzebinia, Poland            [
  ] E-mail:                silence10 wp pl              [
  ] Site:                  silence 0 pl                 [

  ] Application:           Moodle                       [
  ] Versions vulnerable:   <= 1.4.2                     [


[02] Introduction
~~~~~~~~~~~~~~~~~

`Moodle is a course management system (CMS) - a software package designed to
help educators create quality online courses. Such e-learning systems are
sometimes also called Learning Management Systems (LMS) or Virtual Learning
Environments (VLE).` /www.moodle.org
It has over 1000 *register* sites in 75 countries.

Project home site: http://www.moodle.org


[03] Vulnerabilities
~~~~~~~~~~~~~~~~~~~~

Two vulnerabilities have been found in Moodle CMS:

  a) ] Type: Cross Site Scripting      [
     ] File: /mod/forum/view.php       [

     ] Description:                    [

       It is a well-known fact that all user-dependant variables should be
       checked for inaccurate values. The variable $search in view.php is
       not.

       54> $buttontext = forum_print_search_form($course, $search, true,
         >                                                             "plain");

     ] Proof of concept:               [

       The following request will alert values of logged user cookies:

       > http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E
       > %3Cscript%3Ealert(document.cookie)%3C/script%3E

       Where id variable should be existing course ID.

  b) ] Type: Session File Disclosure   [
     ] File: file.php                  [

     ] Description:                    [

       All files containing session data are saved in `moodledata` dir, which
       should be invisible from web. But it is possible to gain access to them:

       45> $pathname = "$CFG->dataroot$pathinfo";

       $pathinfo is checked by function detect_munged_arguments() and allows
       one use of `..` to skip to parent directory. We can use it to skip to
       `moodledata` folder itself and then read files form `sess`.
       To obtain session ID we can use cross site scripting vulnerability.

     ] Proof od concept:               [

       The following request will disclosure session file:

       > http://localhost/moodle/file.php?file=/1/../sessions/
       > sess_6ac3b47ee23c6aa55896f4cd68af9622

       Where:
         - `1` after "?file=/" is existing course ID,
         - `6ac3b47ee23c6aa55896f4cd68af9622` is session ID


[04] Solution
~~~~~~~~~~~~~

Session File Disclosure vulnerability is patched in version 1.4.3.
Cross Site Scripting vulnerability will be patched probably in
version 1.5.


[05] Timeline
~~~~~~~~~~~~~

  ] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered
  ] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered
  ] 2004-12-13 [ Vendor informed
  ] 2004-12-14 [ Session File Disclosure vulnerability (b) patched
  ] 2004-12-27 [ Advisory published


[06] Credits
~~~~~~~~~~~~

Vulnerabilities discovered by Bartek Nowotarski.


--EOF--