Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61261

Stored self-XSS in /badges/mybackpack.php

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.3.5, 3.4.2
    • 3.3.4, 3.4.1
    • Badges
    • MOODLE_33_STABLE, MOODLE_34_STABLE
    • MOODLE_33_STABLE, MOODLE_34_STABLE
    • MDL-61261-master
    • Hide

      Testing instructions

      1. Login and navigate to "User preference"
      2. Under "Badges" choose "Backpack settings"
      3. Instead writing a valid email address, enter "<script>alert(1);</script>"
      4. With some code inspector, change backpackurl hidden form value to https://pastebin.com/raw/HJWNqwnk? (make sure you have the question mark at the end).
      5. Click the "Connect to backpack" button
        1. CONFIRM the value you entered was not saved in the form and that an error was shown
      Show
      Testing instructions Login and navigate to " User preference " Under " Badges " choose " Backpack settings " Instead writing a valid email address, enter " <script>alert(1);</script> " With some code inspector, change backpackurl hidden form value to https://pastebin.com/raw/HJWNqwnk? (make sure you have the question mark at the end). Click the "Connect to backpack" button CONFIRM the value you entered was not saved in the form and that an error was shown

      Hello,

      I discovered a vulnerability in /badges/mybackpack.php where I achieved stored XSS.

      Description

      When making a request to https://backpack.openbadges.org via /badges/mybackpack.php it will give either a JSON response that states the email given exists or does not exist.

      If I change the url to a URL under my controll (via POST, for example: https://pastebin.com/raw/HJWNqwnk? including the question mark) it will say the email exists and will put the given e-mail on the page (in this case a XSS payload).

       

      URL:
      https://localhost/moodle/badges/mybackpack.php
      POST data:
      userid=1&backpackurl=https%3A%2f%2fpastebin.com%2fraw%2fHJWNqwnk%3F&email=<script>alert(1);</script>&sesskey=:SESSKEY&qf_edit_backpack_form=1&mform_isexpanded_id_backpackheader=1&revertbutton=Connect+using+a+different+email+address
      
      

      https://i.imgur.com/pQJNLpv.png

       

      Kind regards,

      Damian Ebelties

        1. Verified MDL-61261_Master.jpg
          Verified MDL-61261_Master.jpg
          143 kB
        2. Verified MDL-61261_34.PNG
          Verified MDL-61261_34.PNG
          108 kB
        3. Verified MDL-61261_33.PNG
          Verified MDL-61261_33.PNG
          111 kB
        4. moodle-xss.PNG
          moodle-xss.PNG
          102 kB

            sarjona Sara Arjona (@sarjona)
            damian Damian
            David Mudrák (@mudrd8mz) David Mudrák (@mudrd8mz)
            Andrew Lyons Andrew Lyons
            Gladys Basiana Gladys Basiana
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.