Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-2286

Session File Disclosure if you know the name

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: 1.4.2
    • Fix Version/s: None
    • Component/s: General
    • Labels:
      None
    • Environment:
      All
    • Database:
      Any
    • Affected Branches:
      MOODLE_14_STABLE

      Description

      Two vulnerabilities have been found in Moodle CMS:

      a) ] Type: Cross Site Scripting [

      ] File: /mod/forum/view.php [

      ] Description: [

      It is a well-known fact that all user-dependant variables should be

      checked for inaccurate values. The variable $search in view.php is

      not.

      54> $buttontext = forum_print_search_form($course, $search, true,

      > plain);

      ] Proof of concept: [

      The following request will alert values of logged user cookies:

      > http://localhost/moodle/mod/forum/view.php?id=1&search=moodle%22%3E

      > %3Cscript%3Ealert(document.cookie)%3C/script%3E

      Where id variable should be existing course ID.

      b) ] Type: Session File Disclosure [

      ] File: file.php [

      ] Description: [

      All files containing session data are saved in `moodledata` dir, which

      should be invisible from web. But it is possible to gain access to them:

      45> $pathname = $CFG->dataroot$pathinfo;

      $pathinfo is checked by function detect_munged_arguments() and allows

      one use of `..` to skip to parent directory. We can use it to skip to

      `moodledata` folder itself and then read files form `sess`.

      To obtain session ID we can use cross site scripting vulnerability.

      ] Proof od concept: [

      The following request will disclosure session file:

      > http://localhost/moodle/file.php?file=/1/../sessions/

      > sess_6ac3b47ee23c6aa55896f4cd68af9622

      Where:

      • `1` after ?file=/ is existing course ID,
      • `6ac3b47ee23c6aa55896f4cd68af9622` is session ID

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: