Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-45596

Filter in manager profile permission is not escaped

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Go to Home ► Site administration ► Users ► Permissions ► Check system permissions
      2. Select a user and view its permissions
      3. In the filter input box, enter:

        "> <img src="http://thecatapi.com/api/images/get?format=src&type=gif">
        

      4. Blur the input field
      5. Refresh the page
      6. Make sure you don't see a cat (and the filter input contains your search)
      Show
      Go to Home ► Site administration ► Users ► Permissions ► Check system permissions Select a user and view its permissions In the filter input box, enter: "> <img src="http://thecatapi.com/api/images/get?format=src&type=gif"> Blur the input field Refresh the page Make sure you don't see a cat (and the filter input contains your search)
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE
    • Fixed Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-45596-master
    • Sprint:
      FRONTEND Sprint 13

      Description

      Hello,
      I found a bug in Manager>My profile settings>role & Site administration> User>permission
      it is a Reflected Xss bug.

      Steps of Reproduction:-
      POC:- 1.https://www.dropbox.com/s/2vra0w7n3dynbb9/moodle%20Stored%20xss.mp4

      2.https://www.dropbox.com/s/riw7l83pi988jgb/moodle%20xss.mp4

      Thankx..

        Attachments

        1. MDL-45596-26.mdk.patch
          3 kB
        2. MDL-45596-27.mdk.patch
          3 kB
        3. MDL-45596-master.mdk.patch
          3 kB
        4. moodle xss.png
          moodle xss.png
          136 kB

          Activity

            People

            Assignee:
            fred Frédéric Massart
            Reporter:
            root8085 Yogendra Sharma
            Peer reviewer:
            Ankit Agarwal
            Integrator:
            Dan Poltawski
            Tester:
            Damyon Wiese
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              14/Jul/14