Multiple Vulnerabilities in Moodle

2004-12-28T00:00:00
ID SECURITYVULNS:DOC:7461
Type securityvulns
Reporter Securityvulns
Modified 2004-12-28T00:00:00

Description

+------------------------------------------------------------------------------+ |
| Multiple Vulnerabilities in Moodle
| ==================================
|
| Author:
Bartek Nowotarski | | Published:
2004-12-27 | +------------------------------------------------------------------------------+

[01] General information ~~~~~~~~~~~~~~~~~~~~~~~~

] Document author: Bartek Nowotarski (silence) [ ] Location: Trzebinia, Poland [ ] E-mail: silence10 wp pl [ ] Site: silence 0 pl [

] Application: Moodle [ ] Versions vulnerable: <= 1.4.2 [

[02] Introduction ~~~~~~~~~~~~~~~~~

`Moodle is a course management system (CMS) - a software package designed to help educators create quality online courses. Such e-learning systems are sometimes also called Learning Management Systems (LMS) or Virtual Learning Environments (VLE).` /www.moodle.org It has over 1000 register sites in 75 countries.

Project home site: http://www.moodle.org

[03] Vulnerabilities ~~~~~~~~~~~~~~~~~~~~

Two vulnerabilities have been found in Moodle CMS:

a) ] Type: Cross Site Scripting [ ] File: /mod/forum/view.php [

 ] Description:                    [

   It is a well-known fact that all user-dependant

variables should be checked for inaccurate values. The variable $search in view.php is not.

   54&gt; $buttontext = forum_print_search_form&#40;$course,

$search, true, >
"plain");

 ] Proof of concept:               [

   The following request will alert values of logged user

cookies:

   &gt;

http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E > %3Cscript%3Ealert(document.cookie)%3C/script%3E

   Where id variable should be existing course ID.

b) ] Type: Session File Disclosure [ ] File: file.php [

 ] Description:                    [

   All files containing session data are saved in

`moodledata` dir, which should be invisible from web. But it is possible to gain access to them:

   45&gt; $pathname = &quot;$CFG-&gt;dataroot$pathinfo&quot;;

   $pathinfo is checked by function

detect_munged_arguments() and allows one use of `..` to skip to parent directory. We can use it to skip to `moodledata` folder itself and then read files form `sess`. To obtain session ID we can use cross site scripting vulnerability.

 ] Proof od concept:               [

   The following request will disclosure session file:

   &gt; http://localhost/moodle/file.php?file=/1/../sessions/
   &gt; sess_6ac3b47ee23c6aa55896f4cd68af9622

   Where:
     - &#96;1&#96; after &quot;?file=/&quot; is existing course ID,
     - &#96;6ac3b47ee23c6aa55896f4cd68af9622&#96; is session ID

[04] Solution ~~~~~~~~~~~~~

Session File Disclosure vulnerability is patched in version 1.4.3. Cross Site Scripting vulnerability will be patched probably in version 1.5.

[05] Timeline ~~~~~~~~~~~~~

] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered ] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered ] 2004-12-13 [ Vendor informed ] 2004-12-14 [ Session File Disclosure vulnerability (b) patched ] 2004-12-27 [ Advisory published

[06] Credits ~~~~~~~~~~~~

Vulnerabilities discovered by Bartek Nowotarski.

--EOF--