Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)
Date: 29 Dec 2004 15:36:39 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple Vulnerabilities in Moodle (view.php, file.php)
------------------------------------------------------------------------


SUMMARY

" <http://www.moodle.org/> Moodle is a course management system (CMS) - a 
software package designed to help educators create quality online 
courses."

Two security vulnerabilities have been discovered in Moodle that allow an 
attacker to cause a cross site scripting vulnerability and to disclose the 
content of sensitive files stored on the server through a directory 
traversal vulnerability.

DETAILS

Vulnerable Systems:
 * Moodle version 1.4.2 and prior

Immune Systems:
 * Moodle version 1.4.3 or newer (File Disclosure)
 * Moodle version 1.5 (CSS)

Cross Site Scripting in /mod/forum/view.php
It is a well-known fact that all user-dependent variables should be 
checked for inaccurate values. The variable $search in view.php is not.

54> $buttontext = forum_print_search_form($course, $search, true,

"plain");


Proof of concept:
The following request will alert values of logged user cookies:

http://localhost/moodle/mod/forum/view.php?id=1&search=moodle 
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Where id variable should be existing course ID.

Session File Disclosure via file.php
All files containing session data are saved in `moodledata` directory, 
which should be invisible from web. But it is possible to gain access to 
them:

45> $pathname = "$CFG->dataroot$pathinfo";

$pathinfo is checked by function detect_munged_arguments() and allows one 
use of `..` to skip to parent directory. We can use it to skip to 
`moodledata` folder itself and then read files form `sess`. To obtain 
session ID we can use cross site scripting vulnerability.

Proof of concept:
The following request will disclosure session file:
http://localhost/moodle/file.php?file=/1/../sessions/sess_6ac3b47ee23c6aa55896f4cd68af9622

Where:
 * `1` after "?file=/" is existing course ID,
 * `6ac3b47ee23c6aa55896f4cd68af9622` is session ID

Solution:
Session File Disclosure vulnerability is patched in version 1.4.3. Cross 
Site Scripting vulnerability will be patched probably in
version 1.5.

Disclosure Timeline:
2004-12-09 - Session File Disclosure vulnerability (b) discovered
2004-12-10 - Cross Site Scripting vulnerability (a) discovered
2004-12-13 - Vendor informed
2004-12-14 - Session File Disclosure vulnerability (b) patched
2004-12-27 - Advisory published


ADDITIONAL INFORMATION

The information has been provided by  <mailto:silence10@wp.pl> Bartek 
Nowotarski.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php), SecuriTeam <=
Previous by Date:  [UNIX] Stack Overflow in AIFF Demultiplexer, SecuriTeam
Next by Date:  [NEWS] Browsers' FTP Client can be Used to Send Mail, SecuriTeam
Previous by Thread:  [UNIX] Stack Overflow in AIFF Demultiplexer, SecuriTeam
Next by Thread:  [NEWS] Browsers' FTP Client can be Used to Send Mail, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]