Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61261

Stored self-XSS in /badges/mybackpack.php

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.3.4, 3.4.1
    • Fix Version/s: 3.3.5, 3.4.2
    • Component/s: Badges
    • Labels:
    • Testing Instructions:
      Hide

      Testing instructions

      1. Login and navigate to "User preference"
      2. Under "Badges" choose "Backpack settings"
      3. Instead writing a valid email address, enter "<script>alert(1);</script>"
      4. With some code inspector, change backpackurl hidden form value to https://pastebin.com/raw/HJWNqwnk? (make sure you have the question mark at the end).
      5. Click the "Connect to backpack" button
        1. CONFIRM the value you entered was not saved in the form and that an error was shown
      Show
      Testing instructions Login and navigate to " User preference " Under " Badges " choose " Backpack settings " Instead writing a valid email address, enter " <script>alert(1);</script> " With some code inspector, change backpackurl hidden form value to https://pastebin.com/raw/HJWNqwnk? (make sure you have the question mark at the end). Click the "Connect to backpack" button CONFIRM the value you entered was not saved in the form and that an error was shown
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-61261-master

      Description

      Hello,

      I discovered a vulnerability in /badges/mybackpack.php where I achieved stored XSS.

      Description

      When making a request to https://backpack.openbadges.org via /badges/mybackpack.php it will give either a JSON response that states the email given exists or does not exist.

      If I change the url to a URL under my controll (via POST, for example: https://pastebin.com/raw/HJWNqwnk? including the question mark) it will say the email exists and will put the given e-mail on the page (in this case a XSS payload).

       

      URL:
      https://localhost/moodle/badges/mybackpack.php
      POST data:
      userid=1&backpackurl=https%3A%2f%2fpastebin.com%2fraw%2fHJWNqwnk%3F&email=<script>alert(1);</script>&sesskey=:SESSKEY&qf_edit_backpack_form=1&mform_isexpanded_id_backpackheader=1&revertbutton=Connect+using+a+different+email+address
      
      

      https://i.imgur.com/pQJNLpv.png

       

      Kind regards,

      Damian Ebelties

        Attachments

        1. moodle-xss.PNG
          moodle-xss.PNG
          102 kB
        2. Verified MDL-61261_33.PNG
          Verified MDL-61261_33.PNG
          111 kB
        3. Verified MDL-61261_34.PNG
          Verified MDL-61261_34.PNG
          108 kB
        4. Verified MDL-61261_Master.jpg
          Verified MDL-61261_Master.jpg
          143 kB

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                19/Mar/18

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h