信息来源:
www.securiteam.com
Summary
"Moodle is a course management system (CMS) - a software package designed to help educators create quality online courses."
Two security vulnerabilities have been discovered in Moodle that allow an attacker to cause a cross site scripting vulnerability and to disclose the content of sensitive files stored on the server through a directory traversal vulnerability.
Details
Vulnerable Systems:
* Moodle version 1.4.2 and prior
Immune Systems:
* Moodle version 1.4.3 or newer (File Disclosure)
* Moodle version 1.5 (CSS)
Cross Site Scripting in /mod/forum/view.php
It is a well-known fact that all user-dependent variables should be checked for inaccurate values. The variable $search in view.php is not.
54> $buttontext = forum_print_search_form($course, $search, true,
> "plain");
Proof of concept:
The following request will alert values of logged user cookies:
http://localhost/moodle/mod/forum/view.php?id=1&search=moodle %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Where id variable should be existing course ID.
Session File Disclosure via file.php
All files containing session data are saved in `moodledata` directory, which should be invisible from web. But it is possible to gain access to them:
45> $pathname = "$CFG->dataroot$pathinfo";
$pathinfo is checked by function detect_munged_arguments() and allows one use of `..` to skip to parent directory. We can use it to skip to `moodledata` folder itself and then read files form `sess`. To obtain session ID we can use cross site scripting vulnerability.
Proof of concept:
The following request will disclosure session file:
http://localhost/moodle/file.php ... aa55896f4cd68af9622
Where:
* `1` after "?file=/" is existing course ID,
* `6ac3b47ee23c6aa55896f4cd68af9622` is session ID
Solution:
Session File Disclosure vulnerability is patched in version 1.4.3. Cross Site Scripting vulnerability will be patched probably in
version 1.5.
Disclosure Timeline:
2004-12-09 - Session File Disclosure vulnerability (b) discovered
2004-12-10 - Cross Site Scripting vulnerability (a) discovered
2004-12-13 - Vendor informed
2004-12-14 - Session File Disclosure vulnerability (b) patched
2004-12-27 - Advisory published
Additional information
The information has been provided by Bartek Nowotarski.
