Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68061

Grade report history per page config setting should be restricted to int

XMLWordPrintable

    • MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • MOODLE_37_STABLE, MOODLE_38_STABLE
    • MDL-68061-master
    • Hide

      NOTE: This test starts BEFORE the patch is applied.

      Setup

      1. A Moodle site running moodle.git, aka, before patch (ie without this issue patched).

      Testing - strings are updated and no longer allowed

      1. Log into the site as admin.
      2. Navigate to Site administration and search for "History entries per page" (grade_report_historyperpage).
      3. Change the value to "Test" and press "Save changes".
      4. CONFIRM you are allowed to save that value.
      5. Switch to integration.git, aka, after patch (with the patch applied).
      6. Open a new tab and navigate back to Site administration to trigger a site upgrade.
      7. Once the upgrade is completed, go back to the "History entries per page" tab and refresh the page.
      8. CONFIRM the previous value of "Test" has now been replaced by "50".
      9. Attempt to re-set the per page value to "Test" and CONFIRM you receive an error when trying to save the changes.
      10. Set the per page value to "30" and press "Save changes".
      11. CONFIRM the changes are successfully saved.

      Testing - integers are not modified during upgrade

      1. Again, start with a site before patch (ie. without this patch).
      2. Log into the site as admin.
      3. Navigate to Site administration and search for "History entries per page" (grade_report_historyperpage).
      4. Change the value to "30" and press "Save changes".
      5. CONFIRM you are allowed to save that value.
      6. Switch to integration.git, aka, after patch (with the patch applied).
      7. Open a new tab and navigate back to Site administration to trigger a site upgrade.
      8. Navigate back to the "History entries per page" setting.
      9. CONFIRM the setting is still "30", and has not been updated to "50".
      Show
      NOTE: This test starts BEFORE the patch is applied. Setup A Moodle site running moodle.git, aka, before patch (ie without this issue patched). Testing - strings are updated and no longer allowed Log into the site as admin. Navigate to Site administration and search for "History entries per page" ( grade_report_historyperpage ). Change the value to "Test" and press "Save changes". CONFIRM you are allowed to save that value. Switch to integration.git, aka, after patch (with the patch applied). Open a new tab and navigate back to Site administration to trigger a site upgrade. Once the upgrade is completed, go back to the "History entries per page" tab and refresh the page. CONFIRM the previous value of "Test" has now been replaced by "50". Attempt to re-set the per page value to "Test" and CONFIRM you receive an error when trying to save the changes. Set the per page value to "30" and press "Save changes". CONFIRM the changes are successfully saved. Testing - integers are not modified during upgrade Again, start with a site before patch (ie. without this patch). Log into the site as admin. Navigate to Site administration and search for "History entries per page" ( grade_report_historyperpage ). Change the value to "30" and press "Save changes". CONFIRM you are allowed to save that value. Switch to integration.git, aka, after patch (with the patch applied). Open a new tab and navigate back to Site administration to trigger a site upgrade. Navigate back to the "History entries per page" setting. CONFIRM the setting is still "30", and has not been updated to "50".
    • International 3.9 - Sprint 6

      The application is vulnerable to Stored Cross-Site Scripting (XSS) attack. You can find reproduce steps and sample HTTP Request below.

      Tested Moodle version: 3.8.1+ (the latest)
      Tested browser version: Firefox 73.0.1
      Vulnerable parameter: 's__grade_report_historyperpage' on Grade History Module (/admin/settings.php?section=gradereporthistory)
      Tested payload: <marquee loop=1 width=0 onfinish=alert('Stored-XSS-Test')>

      Reproduce steps:
      1- Go to 'Grade History' module (/admin/settings.php?section=gradereporthistory)
      2- Change the HTTP Post Request's 's__grade_report_historyperpage' parameter with said payload(HTTP Request is attached below).
      3- Go to any log pages to observe the execution, e.g. 'Live logs' page (report/loglive/index.php)

      Sample HTTP Request:

      POST /admin/settings.php?section=gradereporthistory HTTP/1.1
      Host: <REDACTED>
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Language: en-GB,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 182
      Origin: <REDACTED>
      DNT: 1
      Connection: close
      Referer: https://<REDACTED>/admin/settings.php?section=gradereporthistory
      Cookie: MoodleSession=4i<REDACTED>gr
      Upgrade-Insecure-Requests: 1
      section=gradereporthistory&action=save-settings&sesskey=Cr<REDACTED>id&return=&s__grade_report_historyperpage=%3Cmarquee+loop%3D1+width%3D0+onfinish%3Dalert%28%27Stored-XSS-Test%27%29%3E
      
      

       

        1. MDL-68061.jpg
          MDL-68061.jpg
          52 kB
        2. MDL-68061 (2).jpg
          MDL-68061 (2).jpg
          29 kB
        3. Stored XSS.png
          Stored XSS.png
          159 kB

            michaelh Michael Hawkins
            ea Engin Aslan
            Simey Lameze Simey Lameze
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours, 41 minutes
                6h 41m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.