Multiple Vulnerabilities in Moodle (view.php, file.php)
29 Dec. 2004
Summary
"Moodle is a course management system (CMS) - a software package designed to help educators create quality online courses."
Two security vulnerabilities have been discovered in Moodle that allow an attacker to cause a cross site scripting vulnerability and to disclose the content of sensitive files stored on the server through a directory traversal vulnerability.
Vulnerable Systems:
* Moodle version 1.4.2 and prior
Immune Systems:
* Moodle version 1.4.3 or newer (File Disclosure)
* Moodle version 1.5 (CSS)
Cross Site Scripting in /mod/forum/view.php
It is a well-known fact that all user-dependent variables should be checked for inaccurate values. The variable $search in view.php is not.
Session File Disclosure via file.php
All files containing session data are saved in `moodledata` directory, which should be invisible from web. But it is possible to gain access to them:
45> $pathname = "$CFG->dataroot$pathinfo";
$pathinfo is checked by function detect_munged_arguments() and allows one use of `..` to skip to parent directory. We can use it to skip to `moodledata` folder itself and then read files form `sess`. To obtain session ID we can use cross site scripting vulnerability.
Proof of concept:
The following request will disclosure session file: http://localhost/moodle/file.php?file=/1/../sessions/sess_6ac3b47ee23c6aa55896f4cd68af9622
Where:
* `1` after "?file=/" is existing course ID,
* `6ac3b47ee23c6aa55896f4cd68af9622` is session ID
Solution:
Session File Disclosure vulnerability is patched in version 1.4.3. Cross Site Scripting vulnerability will be patched probably in
version 1.5.
