Uploaded image for project: 'Plugins'
  1. Plugins
  2. CONTRIB-254

Potential SQL-Inject Issue

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 1.8
    • 1.8.2
    • Block: Mrbs
    • None
    • Uncertain

    Description

      Hi,

      A colleague passed along the following link to a potential security issue with Moodle 1.8.2. We cannot locate this "ing/blocks/mrdb/" path, so are not certain where in the stack the issue may surface, if at all. Might this be an add-on? (Apologies if this is a repeat of another issue: I did a search and could not find it.)

      http://www.securityfocus.com/archive/1/485434

      PATH/moodle/ing/blocks/mrbs/code/web/view_entry.php?id=[SQL]&day=27&month=10&year=2007

      And a POC:

      PATH/moodle/ing/blocks/mrbs/code/web/view_entry.php?id=2000%20UNION%20SELECT%20username,id,id,id,id,id,id,id,id,id,id,id%20FROM%20mdl_user%20WHERE%20id=[ID]&day=27&month=10&year=2007

      Thanks,

      Jim

      Attachments

        Activity

          People

            aborrow Anthony Borrow
            jwjwj James Williamson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Clockify

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.