Affects Version/s: 2.4.10, 2.5.6, 2.6.1, 2.6.3, 2.7
Test 1: Make sure filemanager and editor form elements work with JS on and off and when choosing different formats for text
Test 2: Try substituting values for hidden elements related to filemanager and editor form elements and make sure that they are not repeated on the page after form submission
Affected Branches:MOODLE_24_STABLE, MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE
Fixed Branches:MOODLE_24_STABLE, MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE
Sprint:BACKEND Sprint 13
We have the issue below reported to us via a security review of Totara, and since it also affects moodle/master I am reporting it here.
I am reasonably sure that it is not exploitable, but I am not a security expert therefore I thought I'd better report it just in case. Feel free to close as not a bug if that is the case.
The report is as follows:
It has been detected by exploiting the parameter imagefile of the form located in URL [SITEURL]/user/edit.php?id=70&course=1
There is a similar issue with the summary_editor[itemid] parameter of editor form elements.
The problem only occurs in forms where the submitted value is being set as the initial value for the field when the form fails validation and is being redisplayed. Someone could potentially insert something malicious in the value field and have it executed when the page returns.
The reason we don't think this is exploitable is that it seems that the malicious code can only originate and execute on the same client.
However we did note that the Chrome XSS-Auditor blocked the code from executing "because [the script's] source code was found within the request".
We had a look to see where the problem is. It appears to be with the way the values for these form elements are filtered when server side validation of the form has failed. "getCleanType" is returning "cleanhtml" and "raw" for the editor and filemanager elements, respectively. "clean_param" with type PARAM_CLEANHTML is being applied to all three of the parameters for the editor, "description_editor[text]", "description_editor[format]" and "description_editor[itemid]", while the "itemid" and "format" parameters seem to only even contain integers. "imagefile" is being cleaned with type PARAM_RAW (the default when no setType has been specified).
This could be a problem with other form element types - any element where setType is not specified, or when an insufficient filter type is specified and the field is not cleaned in some other way before being sent back to the client when there is a validation error.