Lucene search
K

moodleinstall-xss.txt

🗓️ 12 Jan 2008 00:00:00Reported by Hanno BoeckType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 41 Views

Moodle installer code XSS vulnerability CVE-2008-012

Related
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2008-0123
12 Jan 200801:00
cve
Cvelist
CVE-2008-0123
12 Jan 200801:00
cvelist
EUVD
EUVD-2008-0136
7 Oct 202500:30
euvd
Fedora
[SECURITY] Fedora 8 Update: moodle-1.8.7-1.fc8
8 Nov 200802:10
fedora
Fedora
[SECURITY] Fedora 8 Update: moodle-1.8.5-1.fc8
9 Jul 200802:50
fedora
Fedora
[SECURITY] Fedora 8 Update: moodle-1.8.4-1.fc8
15 Jan 200822:52
fedora
Fedora
[SECURITY] Fedora 7 Update: moodle-1.8.4-1.fc7
15 Jan 200822:54
fedora
Tenable Nessus
Fedora 8 : moodle-1.8.4-1.fc8 (2008-0610)
16 Jan 200800:00
nessus
Tenable Nessus
Fedora 7 : moodle-1.8.4-1.fc7 (2008-0627)
16 Jan 200800:00
nessus
Tenable Nessus
openSUSE 10 Security Update : moodle (moodle-4964)
5 Feb 200800:00
nessus
Rows per page
`Source URL of this announcement:  
http://int21.de/cve/CVE-2008-0123-moodle.html  
  
References  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0123  
  
Description  
Moodle is a course management system for educators.  
The installer code is vulnerable to Cross Site Scripting, letting you inject   
JavaScript and steal cookies. The XSS can only be triggered if there's a not   
installed moodle, so this can be considered low impact. Still it's possible   
to attack if an attacker knows from another person installing moodle.   
  
Sample code  
Sample XSS code:  
<form method="post" action="http://localhost/moodle/install.php">  
<input type="hidden" name="stage" value="3">  
<input type="text" name="dbname" value='"><script>alert(1)</script>'>  
<input type=submit>  
</form>  
  
Workaround/Fix  
Update to 1.8.4.  
  
Disclosure Timeline  
2007-01-08 Vendor contacted  
2007-01-08 Vendor fixed cvs  
2007-01-11 Vendor released 1.8.4  
  
CVE Information  
The Common Vulnerabilities and Exposures (CVE) project has assigned the name   
CVE-2008-0123 to this issue. This is a candidate for inclusion in the CVE   
list (http://cve.mitre.org/), which standardizes names for security problems.  
Credits and copyright  
  
This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting.   
It's licensed under the creative commons attribution license.  
Hanno Boeck, 2008-01-12, http://www.hboeck.de  
  
--   
Hanno Böck Blog: http://www.hboeck.de/  
GPG: 3DBD3B20 Jabber/Mail: [email protected]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Jan 2008 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.03949
41