Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-22388

Reporter says input not properly verified on various form scripts

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.8
    • Fix Version/s: 1.9.9
    • Component/s: None
    • Labels:
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      As reported by eidelweiss@cyberservices.com via the moodle.org contact form:

      The Vulnerability in Moodle versions 1.9.8+ is:

      1. No sanitize , not defined and No Login require for:

      <?***
      require_once($CFG->libdir.'/formslib.php');
      ***?>

      2. Input passed to the "libdir" and "dirroot" parameter in multiple files is
      not properly verified before being used to include files. This can be exploited
      to execute arbitrary PHP code by including files from local or external
      resources (rfi) and also can be exploited to disclose full user names of other
      users (lfi).

        Attachments

          Activity

            People

            Assignee:
            dougiamas Martin Dougiamas
            Reporter:
            tsala Helen Foster
            Participants:
            Component watchers:
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              8/Jun/10