邪恶八进制信息安全团队技术讨论组's Archiver

冰血封情 2004-12-30 12:13

[转载]Moodle view.php file.php多个安全漏洞以及检测方法

信息来源:[url]www.securiteam.com[/url]

Summary
"Moodle is a course management system (CMS) - a software package designed to help educators create quality online courses."

Two security vulnerabilities have been discovered in Moodle that allow an attacker to cause a cross site scripting vulnerability and to disclose the content of sensitive files stored on the server through a directory traversal vulnerability.

Details
Vulnerable Systems:
* Moodle version 1.4.2 and prior

Immune Systems:
* Moodle version 1.4.3 or newer (File Disclosure)
* Moodle version 1.5 (CSS)

Cross Site Scripting in /mod/forum/view.php
It is a well-known fact that all user-dependent variables should be checked for inaccurate values. The variable $search in view.php is not.

54> $buttontext = forum_print_search_form($course, $search, true,
> "plain");

Proof of concept:
The following request will alert values of logged user cookies:

[url]http://localhost/moodle/mod/forum/view.php?id=1&search=moodle[/url] %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Where id variable should be existing course ID.

Session File Disclosure via file.php
All files containing session data are saved in `moodledata` directory, which should be invisible from web. But it is possible to gain access to them:

45> $pathname = "$CFG->dataroot$pathinfo";

$pathinfo is checked by function detect_munged_arguments() and allows one use of `..` to skip to parent directory. We can use it to skip to `moodledata` folder itself and then read files form `sess`. To obtain session ID we can use cross site scripting vulnerability.

Proof of concept:
The following request will disclosure session file:
[url]http://localhost/moodle/file.php?file=/1/../sessions/sess_6ac3b47ee23c6aa55896f4cd68af9622[/url]

Where:
* `1` after "?file=/" is existing course ID,
* `6ac3b47ee23c6aa55896f4cd68af9622` is session ID

Solution:
Session File Disclosure vulnerability is patched in version 1.4.3. Cross Site Scripting vulnerability will be patched probably in
version 1.5.

Disclosure Timeline:
2004-12-09 - Session File Disclosure vulnerability (b) discovered
2004-12-10 - Cross Site Scripting vulnerability (a) discovered
2004-12-13 - Vendor informed
2004-12-14 - Session File Disclosure vulnerability (b) patched
2004-12-27 - Advisory published

Additional information
The information has been provided by Bartek Nowotarski.

页: [1]
© 1999-2008 EvilOctal Security Team