Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61359

Self-XSS when sending message to another user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 3.4.5, 3.5.2
    • 3.4.1, 3.5.1, 3.6
    • Messages
    • MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • MDL-61359-master
    • Hide
      1. Log in as an admin.
      2. If there are no users on your site create one.
      3. Click on the message icon in the top-right.
      4. Click on 'See all'.
      5. Click on the 'Contacts' tab.
      6. Search for another user on the site.
      7. Click on their name.
      8. CONFIRM sending plain text messages works as before (appears under the recipients name as the most recent message, and appears in the message conversation area).
      9. Send the following string as a message, and CONFIRM no alert popup is triggered in the browser:

        <script>alert('Test alert');</script>
        

        The message should display in the same places as step 2. Note that in the message it will display encoded as <script>alert('Test alert');</script>, rather than verbatim what was sent, but this is unrelated to this issue/fix.

      Show
      Log in as an admin. If there are no users on your site create one. Click on the message icon in the top-right. Click on 'See all'. Click on the 'Contacts' tab. Search for another user on the site. Click on their name. CONFIRM sending plain text messages works as before (appears under the recipients name as the most recent message, and appears in the message conversation area). Send the following string as a message, and CONFIRM no alert popup is triggered in the browser: &lt;script&gt;alert( 'Test alert' );&lt;/script&gt; The message should display in the same places as step 2. Note that in the message it will display encoded as <script>alert('Test alert');</script> , rather than verbatim what was sent, but this is unrelated to this issue/fix.

      We have received an email to security address at moodle with the description of self-XSS that can be easily reproduced. This is not a security issue because you can not attack other users.

      Security Researcher: Dan Nino I. Fabro

      Description and Impact:
      I was continually browsing the website when I found something
      interesting. One of the features of the website is to enable
      communication with other users using the chatbox, url:
      https://school.demo.moodle.net/message/index.php?user=[USERNUMBER]&id=[IDNUMBER],
      now, the input field of the chatbox is the one vulnerable here wherein
      an attacker may use this as an attack vector for injecting arbitrary
      javascript code and enable himself to steal or edit cookies of other
      users of the site.
      I was only using demo account, what if real account already, right?

      Payload used:
      "><img src=x onerror=prompt(document.cookie)>

      Browser used:
      Google Chrome Version 61.0.3163.100 (Official Build)
      (64-bit)

            michaelh Michael Hawkins
            marina Marina Glancy
            Mark Nelson Mark Nelson
            Jake Dallimore Jake Dallimore
            Janelle Barcega Janelle Barcega
            Votes:
            2 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 30 minutes
                30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.