Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61261

Stored self-XSS in /badges/mybackpack.php

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.3.4, 3.4.1
    • 3.3.5, 3.4.2
    • Badges
    • MOODLE_33_STABLE, MOODLE_34_STABLE
    • MOODLE_33_STABLE, MOODLE_34_STABLE
    • MDL-61261-master
    • Hide

      Testing instructions

      1. Login and navigate to "User preference"
      2. Under "Badges" choose "Backpack settings"
      3. Instead writing a valid email address, enter "<script>alert(1);</script>"
      4. With some code inspector, change backpackurl hidden form value to https://pastebin.com/raw/HJWNqwnk? (make sure you have the question mark at the end).
      5. Click the "Connect to backpack" button
        1. CONFIRM the value you entered was not saved in the form and that an error was shown
      Show
      Testing instructions Login and navigate to " User preference " Under " Badges " choose " Backpack settings " Instead writing a valid email address, enter " <script>alert(1);</script> " With some code inspector, change backpackurl hidden form value to https://pastebin.com/raw/HJWNqwnk? (make sure you have the question mark at the end). Click the "Connect to backpack" button CONFIRM the value you entered was not saved in the form and that an error was shown

    Description

      Hello,

      I discovered a vulnerability in /badges/mybackpack.php where I achieved stored XSS.

      Description

      When making a request to https://backpack.openbadges.org via /badges/mybackpack.php it will give either a JSON response that states the email given exists or does not exist.

      If I change the url to a URL under my controll (via POST, for example: https://pastebin.com/raw/HJWNqwnk? including the question mark) it will say the email exists and will put the given e-mail on the page (in this case a XSS payload).

       

      URL:
      https://localhost/moodle/badges/mybackpack.php
      POST data:
      userid=1&backpackurl=https%3A%2f%2fpastebin.com%2fraw%2fHJWNqwnk%3F&email=<script>alert(1);</script>&sesskey=:SESSKEY&qf_edit_backpack_form=1&mform_isexpanded_id_backpackheader=1&revertbutton=Connect+using+a+different+email+address
      
      

      https://i.imgur.com/pQJNLpv.png

       

      Kind regards,

      Damian Ebelties

      Attachments

        1. moodle-xss.PNG
          102 kB
          Damian
        2. Verified MDL-61261_33.PNG
          111 kB
          Gladys Basiana
        3. Verified MDL-61261_34.PNG
          108 kB
          Gladys Basiana
        4. Verified MDL-61261_Master.jpg
          143 kB
          Gladys Basiana

        Activity

          People

            sarjona Sara Arjona (@sarjona)
            damian Damian
            David Mudrák (@mudrd8mz) David Mudrák (@mudrd8mz)
            Andrew Lyons Andrew Lyons
            Gladys Basiana Gladys Basiana
            Yuliya Bozhko, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              19/Mar/18

              Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h