Moodle
  1. Moodle
  2. MDL-2286

Session File Disclosure if you know the name

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Trivial Trivial
    • Resolution: Fixed
    • Affects Version/s: 1.4.2
    • Fix Version/s: None
    • Component/s: General
    • Labels:
      None
    • Environment:
      All
    • Database:
      Any
    • Affected Branches:
      MOODLE_14_STABLE
    • Rank:
      14105

      Description

      Two vulnerabilities have been found in Moodle CMS:

      a) ] Type: Cross Site Scripting [

      ] File: /mod/forum/view.php [

      ] Description: [

      It is a well-known fact that all user-dependant variables should be

      checked for inaccurate values. The variable $search in view.php is

      not.

      54> $buttontext = forum_print_search_form($course, $search, true,

      > plain);

      ] Proof of concept: [

      The following request will alert values of logged user cookies:

      > http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E

      > %3Cscript%3Ealert(document.cookie)%3C/script%3E

      Where id variable should be existing course ID.

      b) ] Type: Session File Disclosure [

      ] File: file.php [

      ] Description: [

      All files containing session data are saved in `moodledata` dir, which

      should be invisible from web. But it is possible to gain access to them:

      45> $pathname = $CFG->dataroot$pathinfo;

      $pathinfo is checked by function detect_munged_arguments() and allows

      one use of `..` to skip to parent directory. We can use it to skip to

      `moodledata` folder itself and then read files form `sess`.

      To obtain session ID we can use cross site scripting vulnerability.

      ] Proof od concept: [

      The following request will disclosure session file:

      > http://localhost/moodle/file.php?file=/1/../sessions/

      > sess_6ac3b47ee23c6aa55896f4cd68af9622

      Where:

      • `1` after ?file=/ is existing course ID,
      • `6ac3b47ee23c6aa55896f4cd68af9622` is session ID

        Activity

        Hide
        Martin Dougiamas added a comment -

        From Martin Dougiamas (martin at moodle.com) Tuesday, 14 December 2004, 04:55 PM:

        I've upgraded the parameter checking in that script to use our new functions, so that is now solved in 1.4.3.

        The session stuff doesn't seem too critical... as nothing of real value is kept in those session files, and you need to know the key any way.

        Skodak has some new file.php in 1.5 ... does that fix this problem, Petr?

        Assigning to skodak to look at this and close if necessary.

        From Bartek Nowotarski (silence10 at wp.pl) Tuesday, 14 December 2004, 06:15 PM:

        > The session stuff doesn't seem too critical... as nothing of real value is kept in those session files, and you need to know the key any way.

        Well, MD5 hash is saved there. And the key can be obtained by Cross Site Scripting vulnerability.

        From Petr Skoda (skodak at centrum.cz) Tuesday, 14 December 2004, 11:25 PM:

        a) I have missed this one

        b) As a short term solution we should change the default value $allowdots=0 in detect_munged_arguments. I do not know why it is there exactly (some flash stuff??), but sure I do not like it at all.

        The new handling of uploaded files solves all this, but people do not seem to be interested in testing

        =====

        Anyway it is not a good idea to post these in bugtracker, next time please report to security@moodle.org

        From Bartek Nowotarski (silence10 at wp.pl) Tuesday, 14 December 2004, 11:51 PM:

        I agree that changing:

        > function detect_munged_arguments($string, $allowdots=1) {

        to

        > function detect_munged_arguments($string, $allowdots=0) {

        is the best idea.

        PS. Next time I will report bugs to security@moodle.org . I did not know such e-mail exist.

        It will be good idea to mention it at 'Moodle: Development' page: http://moodle.org/mod/resource/view.php?id=17

        From Petr Skoda (skodak at centrum.cz) Wednesday, 15 December 2004, 12:41 AM:

        I was planning to update coding guides and development info, but did not have time yet

        From Martin Dougiamas (martin at moodle.com) Wednesday, 15 December 2004, 11:53 AM:

        The default to detect_munged_arguments is 1 because a lot of uploaded web sites have pages inside subdirectories that refer to images and other files in the parent directory or in a sister directory.

        Does the new file stuff change this behaviour? Or is it just checking for vulnerabilities better?

        From Bartek Nowotarski (silence10 at wp.pl) Wednesday, 15 December 2004, 09:08 PM:

        Please, look at view.php also since it is not fixed yet...

        From Petr Skoda (skodak at centrum.cz) Thursday, 16 December 2004, 04:53 AM:

        We are discussing it now, it should be solved in 1.4.3, thanks for report.

        From Martin Dougiamas (martin at moodle.com) Thursday, 30 December 2004, 11:23 PM:

        Despite what you posted to Bugtraq, Bartek, the session file disclosure WAS actually fixed in 1.4.3 ...

        From Martin Dougiamas (martin at moodle.com) Friday, 31 December 2004, 02:52 PM:

        Oh, and secunia, too, marvellous. http://secunia.com/advisories/13694/

        Show
        Martin Dougiamas added a comment - From Martin Dougiamas (martin at moodle.com) Tuesday, 14 December 2004, 04:55 PM: I've upgraded the parameter checking in that script to use our new functions, so that is now solved in 1.4.3. The session stuff doesn't seem too critical... as nothing of real value is kept in those session files, and you need to know the key any way. Skodak has some new file.php in 1.5 ... does that fix this problem, Petr? Assigning to skodak to look at this and close if necessary. From Bartek Nowotarski (silence10 at wp.pl) Tuesday, 14 December 2004, 06:15 PM: > The session stuff doesn't seem too critical... as nothing of real value is kept in those session files, and you need to know the key any way. Well, MD5 hash is saved there. And the key can be obtained by Cross Site Scripting vulnerability. From Petr Skoda (skodak at centrum.cz) Tuesday, 14 December 2004, 11:25 PM: a) I have missed this one b) As a short term solution we should change the default value $allowdots=0 in detect_munged_arguments. I do not know why it is there exactly (some flash stuff??), but sure I do not like it at all. The new handling of uploaded files solves all this, but people do not seem to be interested in testing ===== Anyway it is not a good idea to post these in bugtracker, next time please report to security@moodle.org From Bartek Nowotarski (silence10 at wp.pl) Tuesday, 14 December 2004, 11:51 PM: I agree that changing: > function detect_munged_arguments($string, $allowdots=1) { to > function detect_munged_arguments($string, $allowdots=0) { is the best idea. PS. Next time I will report bugs to security@moodle.org . I did not know such e-mail exist. It will be good idea to mention it at 'Moodle: Development' page: http://moodle.org/mod/resource/view.php?id=17 From Petr Skoda (skodak at centrum.cz) Wednesday, 15 December 2004, 12:41 AM: I was planning to update coding guides and development info, but did not have time yet From Martin Dougiamas (martin at moodle.com) Wednesday, 15 December 2004, 11:53 AM: The default to detect_munged_arguments is 1 because a lot of uploaded web sites have pages inside subdirectories that refer to images and other files in the parent directory or in a sister directory. Does the new file stuff change this behaviour? Or is it just checking for vulnerabilities better? From Bartek Nowotarski (silence10 at wp.pl) Wednesday, 15 December 2004, 09:08 PM: Please, look at view.php also since it is not fixed yet... From Petr Skoda (skodak at centrum.cz) Thursday, 16 December 2004, 04:53 AM: We are discussing it now, it should be solved in 1.4.3, thanks for report. From Martin Dougiamas (martin at moodle.com) Thursday, 30 December 2004, 11:23 PM: Despite what you posted to Bugtraq, Bartek, the session file disclosure WAS actually fixed in 1.4.3 ... From Martin Dougiamas (martin at moodle.com) Friday, 31 December 2004, 02:52 PM: Oh, and secunia, too, marvellous. http://secunia.com/advisories/13694/
        Hide
        Michael Blake added a comment -

        assign to a valid user

        Show
        Michael Blake added a comment - assign to a valid user

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: