Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61359

Self-XSS when sending message to another user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.4.1, 3.5.1, 3.6
    • Fix Version/s: 3.4.5, 3.5.2
    • Component/s: Messages
    • Labels:
    • Testing Instructions:
      Hide
      1. Log in as an admin.
      2. If there are no users on your site create one.
      3. Click on the message icon in the top-right.
      4. Click on 'See all'.
      5. Click on the 'Contacts' tab.
      6. Search for another user on the site.
      7. Click on their name.
      8. CONFIRM sending plain text messages works as before (appears under the recipients name as the most recent message, and appears in the message conversation area).
      9. Send the following string as a message, and CONFIRM no alert popup is triggered in the browser:

        <script>alert('Test alert');</script>
        

        The message should display in the same places as step 2. Note that in the message it will display encoded as <script>alert('Test alert');</script>, rather than verbatim what was sent, but this is unrelated to this issue/fix.

      Show
      Log in as an admin. If there are no users on your site create one. Click on the message icon in the top-right. Click on 'See all'. Click on the 'Contacts' tab. Search for another user on the site. Click on their name. CONFIRM sending plain text messages works as before (appears under the recipients name as the most recent message, and appears in the message conversation area). Send the following string as a message, and CONFIRM no alert popup is triggered in the browser: &lt;script&gt;alert( 'Test alert' );&lt;/script&gt; The message should display in the same places as step 2. Note that in the message it will display encoded as <script>alert('Test alert');</script> , rather than verbatim what was sent, but this is unrelated to this issue/fix.
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE
    • Pull 3.5 Branch:
    • Pull Master Branch:
      MDL-61359-master

      Description

      We have received an email to security address at moodle with the description of self-XSS that can be easily reproduced. This is not a security issue because you can not attack other users.

      Security Researcher: Dan Nino I. Fabro

      Description and Impact:
      I was continually browsing the website when I found something
      interesting. One of the features of the website is to enable
      communication with other users using the chatbox, url:
      https://school.demo.moodle.net/message/index.php?user=[USERNUMBER]&id=[IDNUMBER],
      now, the input field of the chatbox is the one vulnerable here wherein
      an attacker may use this as an attack vector for injecting arbitrary
      javascript code and enable himself to steal or edit cookies of other
      users of the site.
      I was only using demo account, what if real account already, right?

      Payload used:
      "><img src=x onerror=prompt(document.cookie)>

      Browser used:
      Google Chrome Version 61.0.3163.100 (Official Build)
      (64-bit)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Sep/18

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 30 minutes
                  30m