Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple Vulnerabilities in Moodle

from [Bartek Nowotarski] Network Security [Permanent Link]
Subject: Multiple Vulnerabilities in Moodle
Date: 27 Dec 2004 19:45:44 -0000 


+------------------------------------------------------------------------------+
|                                                                              |
|               Multiple Vulnerabilities in Moodle                             |
|               ==================================                             |
|                                                                              |
|                                                 Author:    Bartek Nowotarski |
|                                                 Published:        2004-12-27 |
+------------------------------------------------------------------------------+


[01] General information
~~~~~~~~~~~~~~~~~~~~~~~~

  ] Document author:       Bartek Nowotarski (silence)  [
  ] Location:              Trzebinia, Poland            [
  ] E-mail:                silence10 wp pl              [
  ] Site:                  silence 0 pl                 [

  ] Application:           Moodle                       [
  ] Versions vulnerable:   <= 1.4.2                     [


[02] Introduction
~~~~~~~~~~~~~~~~~

`Moodle is a course management system (CMS) - a software package designed to
help educators create quality online courses. Such e-learning systems are
sometimes also called Learning Management Systems (LMS) or Virtual Learning
Environments (VLE).` /www.moodle.org
It has over 1000 *register* sites in 75 countries.

Project home site: http://www.moodle.org


[03] Vulnerabilities
~~~~~~~~~~~~~~~~~~~~

Two vulnerabilities have been found in Moodle CMS:

  a) ] Type: Cross Site Scripting      [
     ] File: /mod/forum/view.php       [

     ] Description:                    [

       It is a well-known fact that all user-dependant variables should be
       checked for inaccurate values. The variable $search in view.php is
       not.

       54> $buttontext = forum_print_search_form($course, $search, true,
         >                                                             "plain");

     ] Proof of concept:               [

       The following request will alert values of logged user cookies:

       > http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E
       > %3Cscript%3Ealert(document.cookie)%3C/script%3E

       Where id variable should be existing course ID.

  b) ] Type: Session File Disclosure   [
     ] File: file.php                  [

     ] Description:                    [

       All files containing session data are saved in `moodledata` dir, which
       should be invisible from web. But it is possible to gain access to them:

       45> $pathname = "$CFG->dataroot$pathinfo";

       $pathinfo is checked by function detect_munged_arguments() and allows
       one use of `..` to skip to parent directory. We can use it to skip to
       `moodledata` folder itself and then read files form `sess`.
       To obtain session ID we can use cross site scripting vulnerability.

     ] Proof od concept:               [

       The following request will disclosure session file:

       > http://localhost/moodle/file.php?file=/1/../sessions/
       > sess_6ac3b47ee23c6aa55896f4cd68af9622

       Where:
         - `1` after "?file=/" is existing course ID,
         - `6ac3b47ee23c6aa55896f4cd68af9622` is session ID


[04] Solution
~~~~~~~~~~~~~

Session File Disclosure vulnerability is patched in version 1.4.3.
Cross Site Scripting vulnerability will be patched probably in
version 1.5.


[05] Timeline
~~~~~~~~~~~~~

  ] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered
  ] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered
  ] 2004-12-13 [ Vendor informed
  ] 2004-12-14 [ Session File Disclosure vulnerability (b) patched
  ] 2004-12-27 [ Advisory published


[06] Credits
~~~~~~~~~~~~

Vulnerabilities discovered by Bartek Nowotarski.


--EOF--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] [ GLSA 200412-26 ] ViewCVS: Information leak and XSS vulnerabilities, Thierry Carrez
Next by Date:  MDKSA-2004:158 - Updated samba packages fix integer overflow vulnerabilities, Mandrake Linux Security Team
Previous by Thread:  [Full-Disclosure] [ GLSA 200412-26 ] ViewCVS: Information leak and XSS vulnerabilities, Thierry Carrez
Next by Thread:  Re: Multiple Vulnerabilities in Moodle, Martin Dougiamas
Indexes:  [Date] [Thread] [Top] [All Lists]