[UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/29/04

  • Next message: SecuriTeam: "[NEWS] Browsers' FTP Client can be Used to Send Mail" 
    To: list@securiteam.com
Date: 29 Dec 2004 15:36:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vulnerabilities in Moodle (view.php, file.php)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.moodle.org/> Moodle is a course management system (CMS) - a
    software package designed to help educators create quality online
    courses."

    Two security vulnerabilities have been discovered in Moodle that allow an
    attacker to cause a cross site scripting vulnerability and to disclose the
    content of sensitive files stored on the server through a directory
    traversal vulnerability.

    DETAILS

    Vulnerable Systems:
     * Moodle version 1.4.2 and prior

    Immune Systems:
     * Moodle version 1.4.3 or newer (File Disclosure)
     * Moodle version 1.5 (CSS)

    Cross Site Scripting in /mod/forum/view.php
    It is a well-known fact that all user-dependent variables should be
    checked for inaccurate values. The variable $search in view.php is not.

    54> $buttontext = forum_print_search_form($course, $search, true,
    > "plain");

    Proof of concept:
    The following request will alert values of logged user cookies:

    http://localhost/moodle/mod/forum/view.php?id=1&search=moodle
    %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

    Where id variable should be existing course ID.

    Session File Disclosure via file.php
    All files containing session data are saved in `moodledata` directory,
    which should be invisible from web. But it is possible to gain access to
    them:

    45> $pathname = "$CFG->dataroot$pathinfo";

    $pathinfo is checked by function detect_munged_arguments() and allows one
    use of `..` to skip to parent directory. We can use it to skip to
    `moodledata` folder itself and then read files form `sess`. To obtain
    session ID we can use cross site scripting vulnerability.

    Proof of concept:
    The following request will disclosure session file:
    http://localhost/moodle/file.php?file=/1/../sessions/sess_6ac3b47ee23c6aa55896f4cd68af9622

    Where:
     * `1` after "?file=/" is existing course ID,
     * `6ac3b47ee23c6aa55896f4cd68af9622` is session ID

    Solution:
    Session File Disclosure vulnerability is patched in version 1.4.3. Cross
    Site Scripting vulnerability will be patched probably in
    version 1.5.

    Disclosure Timeline:
    2004-12-09 - Session File Disclosure vulnerability (b) discovered
    2004-12-10 - Cross Site Scripting vulnerability (a) discovered
    2004-12-13 - Vendor informed
    2004-12-14 - Session File Disclosure vulnerability (b) patched
    2004-12-27 - Advisory published

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:silence10@wp.pl> Bartek
    Nowotarski.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Browsers' FTP Client can be Used to Send Mail"

    Relevant Pages