Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65442

BurpSuite reports high severity OS command injection on /repository/draftfiles_ajax.php



    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not a bug
    • Affects Version/s: 3.5.5
    • Fix Version/s: None
    • Component/s: Repositories
    • Labels:
    • Affected Branches:


      OS command injection


      Severity: High
      Confidence: Firm
      Host: https://somehost.somesite.com
      Path: /repository/draftfiles_ajax.php

      Issue detail

      The filepath parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

      The payload |ping -n 21||`ping -c 21` #' |ping -n 21||`ping -c 21` #\" |ping -n 21 was submitted in the filepath parameter. The application timed out when responding to the request, indicating that the injected command caused a time delay.

      Issue background

      Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.

      OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. The exact potential for exploitation depends upon the security context in which the command is executed, and the privileges that this context has regarding sensitive resources on the server.

      Issue remediation

      If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

      If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:

      The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
      The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.

      Vulnerability classifications

      • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
      • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
      • CWE-116: Improper Encoding or Escaping of Output


      POST /repository/draftfiles_ajax.php?action=list HTTP/1.1
      Host: somehost.somesite.com
      Connection: close
      Content-Length: 88
      Origin: https://somehost.somesite.com
      X-Requested-With: XMLHttpRequest
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
      DNT: 1
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      Accept: */*
      Referer: https://somehost.somesite.com/mod/assign/view.php?id=567207&action=editsubmission
      Accept-Encoding: gzip, deflate
      Accept-Language: en-CA,en-US;q=0.9,en;q=0.8
      Cookie: __utma=153100668.1387493294.1556561673.1556561673.1556561673.1; __utmc=153100668; __utmz=153100668.1556561673.1.1.utmccn=(referral)|utmcsr=somehost.somesite.com|utmcct=/|utmcmd=referral; TS01fa06a5=0183e075343f59bc0b06da23cf28ecc6d241c03e37e9b673b7ee5984b9c8387c893b3f3d269249b6473f9ef4396a864f229566ad2af2fbf003f074a6869948d8613a07bf4f; BIGipServerPOOL_somehost.somesite.com_http=1030776974.20480.0000;TS018ecb25=0183e07534a07d6c215271c9134e998a4aea9859216c278798d91a03ba977dade5978c3ea0093e58459b8be150f20c781415ede2f78334819791064cd9256805e863cec936; MoodleSession=tn3jg6asdfdrgj2seiau4refkn; TS019fc7a5=0183e07534a4200c17310c9b001538cb94810f45c229e04c6941ce21a385bdb4cc18276176902f97f50127828bcbf25be3c83a5b5afa1da5e9daa49322ed97697964be8cbb3e890554c14739cb80e9200b052c7ed496de63e0245233e1fa289bcc7120c7c9




            mwebster Mark van Hoek
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            0 Vote for this issue
            2 Start watching this issue