Moodle

Crash without Error-Message when typing system(

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Not a bug
  • Affects Version/s: 1.8.4, 1.9.3
  • Fix Version/s: None
  • Component/s: HTML Editor
  • Labels:
    None
  • Environment:
    Open SuSE, Ubuntu... Apache2 php5...
  • Database:
    MySQL
  • Difficulty:
    Easy
  • Affected Branches:
    MOODLE_18_STABLE, MOODLE_19_STABLE

Description

When typing system( in any HTML-Editor Window, the next page -> modedit.php shows a white screen and the edit has no effect. No PHP-Errors.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

hello,
this is not a moodle bug, please check your server, there is probably some extra security solution installed that kills anything the seems suspicious.

Show
Petr Škoda (skodak) added a comment - hello, this is not a moodle bug, please check your server, there is probably some extra security solution installed that kills anything the seems suspicious.
Hide
Permalink
Helge Wiethoff added a comment -

Hey Petr,

thanks for your fast answer! I will check my server..

greets,
helge

Show
Helge Wiethoff added a comment - Hey Petr, thanks for your fast answer! I will check my server.. greets, helge
Hide
Permalink
Barry Bookout added a comment -

Helge,

Did you discover a solution to this? We are having the same problem.

We find that, in addition to "system(", having any of the words "include" or "includes" or "require_once" in the text also causes a white screen on submission to modedit.php.

Our sever is running FreeBSD 6.3, Moodle version 1.8.3+. Apache mod_security module is NOT installed on our system.

The filter block in our php.ini file is
[filter]
;filter.default = unsafe_raw
;filter.default_flags =

Thanks for any help or suggestions,

Barry

Show
Barry Bookout added a comment - Helge, Did you discover a solution to this? We are having the same problem. We find that, in addition to "system(", having any of the words "include" or "includes" or "require_once" in the text also causes a white screen on submission to modedit.php. Our sever is running FreeBSD 6.3, Moodle version 1.8.3+. Apache mod_security module is NOT installed on our system. The filter block in our php.ini file is [filter] ;filter.default = unsafe_raw ;filter.default_flags = Thanks for any help or suggestions, Barry
Hide
Permalink
Petr Škoda (skodak) added a comment -

Maybe you would get better support if you posted in moodle.org forums, more ppl are reading them

Show
Petr Škoda (skodak) added a comment - Maybe you would get better support if you posted in moodle.org forums, more ppl are reading them
Hide
Permalink
Helge Wiethoff added a comment -

Hey all!

Yepp. We found a solution for this problem:
An older moodle-installation was infected by this hack:
http://packetstormsecurity.org/0809-exploits/moodle-exec.txt
and a file called license.php was written to the server.
The config.php was rewritten by a script with this code in the bottom lines:
<?php
foreach ($_REQUEST as $key => $val)
{
if ( preg_match('/eval.(|system.(|passthru.(|exec.(|include|require_on
ce|move_uploaded_file.*(/i', $val) )

{ exit; }

}
?>

In our case we just edit the config.php because the infected system was on an different server.

Greets,
Helge

Show
Helge Wiethoff added a comment - Hey all! Yepp. We found a solution for this problem: An older moodle-installation was infected by this hack: http://packetstormsecurity.org/0809-exploits/moodle-exec.txt and a file called license.php was written to the server. The config.php was rewritten by a script with this code in the bottom lines: <?php foreach ($_REQUEST as $key => $val) { if ( preg_match('/eval.(|system.(|passthru.(|exec.(|include|require_on ce|move_uploaded_file.*(/i', $val) ) { exit; } } ?> In our case we just edit the config.php because the infected system was on an different server. Greets, Helge

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.