OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Multiple Vulnerabilities in Moodle

From: Bartek Nowotarski (silence10wp.pl)
Date: Mon Dec 27 2004 - 13:45:44 CST

+------------------------------------------------------------------------------+
| |
| Multiple Vulnerabilities in Moodle |
| ================================== |
| |
| Author: Bartek Nowotarski |
| Published: 2004-12-27 |
+------------------------------------------------------------------------------+

[01] General information
~~~~~~~~~~~~~~~~~~~~~~~~

  ] Document author: Bartek Nowotarski (silence) [
  ] Location: Trzebinia, Poland [
  ] E-mail: silence10 wp pl [
  ] Site: silence 0 pl [

  ] Application: Moodle [
  ] Versions vulnerable: <= 1.4.2 [

[02] Introduction
~~~~~~~~~~~~~~~~~

`Moodle is a course management system (CMS) - a software package designed to
help educators create quality online courses. Such e-learning systems are
sometimes also called Learning Management Systems (LMS) or Virtual Learning
Environments (VLE).` /www.moodle.org
It has over 1000 *register* sites in 75 countries.

Project home site: http://www.moodle.org

[03] Vulnerabilities
~~~~~~~~~~~~~~~~~~~~

Two vulnerabilities have been found in Moodle CMS:

  a) ] Type: Cross Site Scripting [
     ] File: /mod/forum/view.php [

     ] Description: [

       It is a well-known fact that all user-dependant variables should be
       checked for inaccurate values. The variable $search in view.php is
       not.

       54> $buttontext = forum_print_search_form($course, $search, true,
> "plain");

     ] Proof of concept: [

       The following request will alert values of logged user cookies:

> http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E
> %3Cscript%3Ealert(document.cookie)%3C/script%3E

       Where id variable should be existing course ID.

  b) ] Type: Session File Disclosure [
     ] File: file.php [

     ] Description: [

       All files containing session data are saved in `moodledata` dir, which
       should be invisible from web. But it is possible to gain access to them:

       45> $pathname = "$CFG->dataroot$pathinfo";

       $pathinfo is checked by function detect_munged_arguments() and allows
       one use of `..` to skip to parent directory. We can use it to skip to
       `moodledata` folder itself and then read files form `sess`.
       To obtain session ID we can use cross site scripting vulnerability.

     ] Proof od concept: [

       The following request will disclosure session file:

> http://localhost/moodle/file.php?file=/1/../sessions/
> sess_6ac3b47ee23c6aa55896f4cd68af9622

       Where:
         - `1` after "?file=/" is existing course ID,
         - `6ac3b47ee23c6aa55896f4cd68af9622` is session ID

[04] Solution
~~~~~~~~~~~~~

Session File Disclosure vulnerability is patched in version 1.4.3.
Cross Site Scripting vulnerability will be patched probably in
version 1.5.

[05] Timeline
~~~~~~~~~~~~~

  ] 2004-12-09 [ Session File Disclosure vulnerability (b) discovered
  ] 2004-12-10 [ Cross Site Scripting vulnerability (a) discovered
  ] 2004-12-13 [ Vendor informed
  ] 2004-12-14 [ Session File Disclosure vulnerability (b) patched
  ] 2004-12-27 [ Advisory published

[06] Credits
~~~~~~~~~~~~

Vulnerabilities discovered by Bartek Nowotarski.

--EOF--