Moodle

XSS in assignment description

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Not a bug
  • Affects Version/s: 1.8
  • Fix Version/s: None
  • Component/s: Assignment
  • Labels:
    None
  • Environment:
    Mamp (osx, mysql, apache, php)
  • Database:
    MySQL
  • Affected Branches:
    MOODLE_18_STABLE

Description

It is possible to inject js into the description of new assignments by using a simple script tag.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

This is not a bug, only student submitted data is filtered - if we filtered all js, we could not use any Flash, Java, SVG, SCORM, uploaded html files etc.

Show
Petr Škoda (skodak) added a comment - This is not a bug, only student submitted data is filtered - if we filtered all js, we could not use any Flash, Java, SVG, SCORM, uploaded html files etc.
Hide
Permalink
Hans Wolters added a comment -

This is a bug. Filtering a description is not to hard. A description should never hold any form of Flash, Java, whatever.

Show
Hans Wolters added a comment - This is a bug. Filtering a description is not to hard. A description should never hold any form of Flash, Java, whatever.
Hide
Permalink
Petr Škoda (skodak) added a comment -

Many people do not think so and want to add funny html with active content.

This is not a security problem because the capability (moodle/course:manageactivities) required for editing of this description is marked with XSS risk.

Show
Petr Škoda (skodak) added a comment - Many people do not think so and want to add funny html with active content. This is not a security problem because the capability (moodle/course:manageactivities) required for editing of this description is marked with XSS risk.
Hide
Permalink
Hans Wolters added a comment -

Well, then we disagree. Most 'hacks' are made from the inside. If Moodle does not want to filter a simple subject then it might need a wakeup call.

p.s. I've only started to find issues, will submit more in the next few weeks

Show
Hans Wolters added a comment - Well, then we disagree. Most 'hacks' are made from the inside. If Moodle does not want to filter a simple subject then it might need a wakeup call. p.s. I've only started to find issues, will submit more in the next few weeks
Hide
Permalink
Petr Škoda (skodak) added a comment -

There are many places with unfiltered content submitted by teachers - Resource mod content, Book content, teacher uploaded files (==course files), module descriptions, etc.

On the other hand all content/files submitted by students or content with unknown origin should be filtered - we are using modified KSES engine (and HTML purifier in 1.9dev).
The uploaded files by students are served with special headers that prevent opening in browser and forces download, there is also a special handling of all PDF files. I hope we will implement better enhanced protection soon

I am glad that you are working on security Please report any problems you find. I will make sure that any problem is fixed ASAP.

THANKS!!

Show
Petr Škoda (skodak) added a comment - There are many places with unfiltered content submitted by teachers - Resource mod content, Book content, teacher uploaded files (==course files), module descriptions, etc. On the other hand all content/files submitted by students or content with unknown origin should be filtered - we are using modified KSES engine (and HTML purifier in 1.9dev). The uploaded files by students are served with special headers that prevent opening in browser and forces download, there is also a special handling of all PDF files. I hope we will implement better enhanced protection soon I am glad that you are working on security Please report any problems you find. I will make sure that any problem is fixed ASAP. THANKS!!
Hide
Permalink
Petr Škoda (skodak) added a comment -

My skype id is petr.skoda if you want to contact me directly.

Show
Petr Škoda (skodak) added a comment - My skype id is petr.skoda if you want to contact me directly.
Hide
Permalink
Hans Wolters added a comment -

I am very much aware that filtering content isn't easy. To filter a scorm package is almost undoable. However, this should not mean Moodle should let it go on all other data. Please start filtering what you can.

Currently I am working on blocks that will connect backoffice stuff from third parties that is very much needed. I do want to submit it as oss and so does my employer. We do want a safe enviroment for it.

Over the next few weeks you might see some weird postings stating a security issue. Please ask me about why it might be an issue if you do not understand.

Regards,

Hans

Show
Hans Wolters added a comment - I am very much aware that filtering content isn't easy. To filter a scorm package is almost undoable. However, this should not mean Moodle should let it go on all other data. Please start filtering what you can. Currently I am working on blocks that will connect backoffice stuff from third parties that is very much needed. I do want to submit it as oss and so does my employer. We do want a safe enviroment for it. Over the next few weeks you might see some weird postings stating a security issue. Please ask me about why it might be an issue if you do not understand. Regards, Hans
Hide
Permalink
Hans Wolters added a comment -

I'm not using skype. But you can contact me by e-mail or jabber (hans.wolters@jabber.xs4all.nl)

Show
Hans Wolters added a comment - I'm not using skype. But you can contact me by e-mail or jabber (hans.wolters@jabber.xs4all.nl)
Hide
Permalink
Petr Škoda (skodak) added a comment -

Filtering of content is technical problem which can be usually solved, the problem is IMO people wanting to do fancy stuff in web browsers - we are trying to find some balance to make Moodle as much secure as possible while keep it usable and as feature rich as possible. I am usually the one trying to make it more secure (or adding switches to disable insecure features) - MartinD wants fancy features Fortunately we are not doing banking.

Thanks again for working on security aspects of Moodle.

BTW I hate Skype, some cough developers cough do not want to use something else more standards based and open.

Show
Petr Škoda (skodak) added a comment - Filtering of content is technical problem which can be usually solved, the problem is IMO people wanting to do fancy stuff in web browsers - we are trying to find some balance to make Moodle as much secure as possible while keep it usable and as feature rich as possible. I am usually the one trying to make it more secure (or adding switches to disable insecure features) - MartinD wants fancy features Fortunately we are not doing banking. Thanks again for working on security aspects of Moodle. BTW I hate Skype, some cough developers cough do not want to use something else more standards based and open.
Hide
Permalink
Hans Wolters added a comment -

Well, allowing fancy stuff can be defined. If you want to allow http://foo/bar then it can be defined, if you do not want to allow http://sex/forme then close the popup issues

Skype isn't something I do not want, I just hate to have two IM clients opened, it eats desktop space.

Regards,

Hans

Show
Hans Wolters added a comment - Well, allowing fancy stuff can be defined. If you want to allow http://foo/bar then it can be defined, if you do not want to allow http://sex/forme then close the popup issues Skype isn't something I do not want, I just hate to have two IM clients opened, it eats desktop space. Regards, Hans

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.