moodle142.txt

`  
  
+------------------------------------------------------------------------------+  
| |  
| Multiple Vulnerabilities in Moodle |  
| ================================== |  
| |  
| Author: Bartek Nowotarski |  
| Published: 2004-12-27 |  
+------------------------------------------------------------------------------+  
  
  
[01] General information  
~~~~~~~~~~~~~~~~~~~~~~~~  
  
] Document author: Bartek Nowotarski (silence) [  
] Location: Trzebinia, Poland [  
] E-mail: silence10 wp pl [  
] Site: silence 0 pl [  
  
] Application: Moodle [  
] Versions vulnerable: <= 1.4.2 [  
  
  
[02] Introduction  
~~~~~~~~~~~~~~~~~  
  
`Moodle is a course management system (CMS) - a software package designed to  
help educators create quality online courses. Such e-learning systems are  
sometimes also called Learning Management Systems (LMS) or Virtual Learning  
Environments (VLE).` /www.moodle.org  
It has over 1000 *register* sites in 75 countries.  
  
Project home site: http://www.moodle.org  
  
  
[03] Vulnerabilities  
~~~~~~~~~~~~~~~~~~~~  
  
Two vulnerabilities have been found in Moodle CMS:  
  
a) ] Type: Cross Site Scripting [  
] File: /mod/forum/view.php [  
  
] Description: [  
  
It is a well-known fact that all user-dependant variables should be  
checked for inaccurate values. The variable $search in view.php is  
not.  
  
54> $buttontext = forum_print_search_form($course, $search, true,  
> "plain");  
  
] Proof of concept: [  
  
The following request will alert values of logged user cookies:  
  
> http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E  
> %3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
Where id variable should be existing course ID.  
  
b) ] Type: Session File Disclosure [  
] File: file.php [  
  
] Description: [  
  
All files containing session data are saved in `moodledata` dir, which  
should be invisible from web. But it is possible to gain access to them:  
  
45> $pathname = "$CFG->dataroot$pathinfo";  
  
$pathinfo is checked by function detect_munged_arguments() and allows  
one use of `..` to skip to parent directory. We can use it to skip to  
`moodledata` folder itself and then read files form `sess`.  
To obtain session ID we can use cross site scripting vulnerability.  
  
] Proof od concept: [  
  
The following request will disclosure session file:  
  
> http://localhost/moodle/file.php?file=/1/../sessions/  
> sess_6ac3b47ee23c6aa55896f4cd68af9622  
  
Where:  
- `1` after "?file=/" is existing course ID,  
- `6ac3b47ee23c6aa55896f4cd68af9622` is session ID  
  
  
[04] Solution  
~~~~~~~~~~~~~  
  
Session File Disclosure vulnerability is patched in version 1.4.3.  
Cross Site Scripting vulnerability will be patched probably in  
version 1.5.  
  
  
[05] Timeline  
~~~~~~~~~~~~~  
  
] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered  
] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered  
] 2004-12-13 [ Vendor informed  
] 2004-12-14 [ Session File Disclosure vulnerability (b) patched  
] 2004-12-27 [ Advisory published  
  
  
[06] Credits  
~~~~~~~~~~~~  
  
Vulnerabilities discovered by Bartek Nowotarski.  
  
  
--EOF--  
`