Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67110

XSS in malicious seemingly H5P content

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.8
    • Fix Version/s: 3.8
    • Component/s: Filters, H5P
    • Labels:
    • Testing Instructions:
      Hide

      Setup

      Check in Site administration > Plugins > Filters > Manage filters 'Display H5P' filter is enabled and applied before 'Convert URLs into links and images' and 'Activity names auto-linking' filters.

      Prerequisites:

      • Having multiple H5P content URLs:
      • Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this:

        https://h5p.org/h5p/embed/[id]
        https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id]
        https://moodle.h5p.com/content/[id]/embed
        https://moodle.h5p.com/content/[id]
        

      Test 1

      1. Check in Site administration > Plugins > Filters > Manage filters 'Convert URLs into links and images' filter is Disabled or, in case it is On, is ordered below Display H5P filter.
      2. Create a course C1.
      3. In course C1, add a Label anywhere.
      4. In the Label text Atto editor, copy and paste  the following text using the HTML/code view

        <div>1.valid URL: https://h5p.org/h5p/embed/580638</div>
        <div>2.another valid URL: https://h5p.org/h5p/embed/6729</div>
        <div>3.non valid URL: https://moodle.org</div>
        <div>4.URL inside a link tag: <a href="https://h5p.org/h5p/embed/6729">link</a></div>
        <div>5.paragraph with a valid URL https://h5p.org/h5p/embed/580638 inside</div>
        <div>6.a valid URL ended by '/embed': https://moodle.h5p.com/content/1290729733828858779/embed</div>
        <div>7.an h5p.com valid URL not ended by '/embed': https://moodle.h5p.com/content/1290729733828858779</div>
        <div>8.an wordpress valid URL: https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=1</div>

      1. Confirm that the H5P contents of 1, 2, 5, 6 and 7 are displayed.

      Test 2

      1. Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this: 

        https://h5p.org/h5p/embed/[id]
        https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id] 
        https://*.h5p.com/content/[id]/embed
        https://*.h5p.com/content/[id]

      1. Go to label created in C1 course
      2. Confirm that the H5P contents of 1, 2, 5 , 8 are displayed.
      3. Confirm that the H5P contents of 6 and 7 are not displayed.

       Tes3 - local files

      1. As an admin navigate to 'Private files'
      2. Create a folder with spaces in the name, e.g. 'Folder with spaces'.
      3. Upload 'arithmetic-quiz-22-57860 (1).h5p' file to the folder
      4. Navigate to Dashboard. Add 'Private files' block to your Dashboard.
      5. Copy link address to 'arithmetic-quiz-22-57860 (1).h5p' file
      6. In a course create a new label.
      7. Add link address to 'arithmetic-quiz-22-57860 (1).h5p' file to 'Label text'
      8. Save and return to course.
      9. Make sure H5P content is rendered and working 

       

      Show
      Setup Check in Site administration > Plugins > Filters > Manage filters 'Display H5P' filter is enabled and applied before 'Convert URLs into links and images' and 'Activity names auto-linking' filters. Prerequisites: Having multiple H5P content URLs: Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this: https://h5p.org/h5p/embed/[id] https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id] https://moodle.h5p.com/content/[id]/embed https://moodle.h5p.com/content/[id] Test 1 Check in Site administration > Plugins > Filters > Manage filters 'Convert URLs into links and images' filter is Disabled or, in case it is On, is ordered below Display H5P filter. Create a course C1. In course C1, add a Label anywhere. In the Label text Atto editor, copy and paste  the following text using the HTML/code view :  <div> 1 .valid URL: https: //h5p.org/h5p/embed/580638</div> <div> 2 .another valid URL: https: //h5p.org/h5p/embed/6729</div> <div> 3 .non valid URL: https: //moodle.org</div> <div> 4 .URL inside a link tag: <a href= "https://h5p.org/h5p/embed/6729" >link</a></div> <div> 5 .paragraph with a valid URL https: //h5p.org/h5p/embed/580638 inside</div> <div> 6 .a valid URL ended by '/embed' : https: //moodle.h5p.com/content/1290729733828858779/embed</div> <div> 7 .an h5p.com valid URL not ended by '/embed' : https: //moodle.h5p.com/content/1290729733828858779</div> <div> 8 .an wordpress valid URL: https: //generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=1</div> Confirm that the H5P contents of 1, 2, 5, 6 and 7 are displayed. Test 2 Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this:  https: //h5p.org/h5p/embed/[id] https: //generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id] https: //*.h5p.com/content/[id]/embed https: //*.h5p.com/content/[id] Go to label created in C1 course Confirm that the H5P contents of 1, 2, 5 , 8 are displayed. Confirm that the H5P contents of 6 and 7 are not displayed.  Tes3 - local files As an admin navigate to 'Private files' Create a folder with spaces in the name, e.g. 'Folder with spaces'. Upload 'arithmetic-quiz-22-57860 (1).h5p' file to the folder Navigate to Dashboard. Add 'Private files' block to your Dashboard. Copy link address to 'arithmetic-quiz-22-57860 (1).h5p' file In a course create a new label. Add link address to 'arithmetic-quiz-22-57860 (1).h5p' file to 'Label text' Save and return to course. Make sure H5P content is rendered and working   
    • Affected Branches:
      MOODLE_38_STABLE
    • Fixed Branches:
      MOODLE_38_STABLE
    • Sprint:
      H5P Sprint Relase 3.8

      Description

      The H5P filter recently introduced allows an attacker to execute JavaScript, and embed content that does not meet the allowed sources requirements.

      Pre-requisites

      • H5P filter enabled
      • Default allowed sources

      Demonstration

      The following URLs are examples of vulnerabilities, include those URLs anywhere where the filter is applied.

      https://perdu%2Ecom#h5p.com/content/1
       
      https://mydomain-h5p.com/content/1
       
      https://mydomainh5p.com/content/1
       
      https://"onload="alert(1)"h5p.com/content/1"
      

      Explanation

      The default allowed sources contain the following:

      https://*.h5p.com/content/[id]
      

      A regular expression is constructed from the allowed sources replacing the * character with the regex [\.]+. It also does not escape the . (periods) that are part of the allowed sources.

      With that we can:

      • Use the URL code %2E to hide . (periods) which allows us to completely replace the domain of the URL (first exploit)
      • Buy our own domain that ends in h5p.com as the preceding . (period) is not escaped, and can be any character (2nd and 3rd exploits)
      • Inject HTML through the domain so long as it does not include a period (4th exploit)

      You should consider having a bug bounty

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                18/Nov/19

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 7 hours, 15 minutes
                7h 15m