Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68423

Scripts should not execute locally when sent via messaging

    XMLWordPrintable

Details

    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • MDL-68423-master
    • Hide
      1. Log in as a user.
      2. Open the messaging drawer, and open a conversation with yourself.
      3. Paste the follwing into the messaging input: Start <script>alert(123)</script> and <img src=x onerror=alert(document.cookie) alt=''>end.
      4. Press send.
        1. Check no alert is displayed
        2. Check that the message displayed is "Start and end."
        3. Check the message area gets cleaned and focused
      Show
      Log in as a user. Open the messaging drawer, and open a conversation with yourself. Paste the follwing into the messaging input:  Start <script>alert(123)</script> and <img src=x onerror=alert(document.cookie) alt=''>end. Press send. Check no alert is displayed Check that the message displayed is "Start and end." Check the message area gets cleaned and focused
    • Moppies Kanban

    Description

      Currently, if you input JavaScript in messaging, it is stripped on output, but is being executed locally (self-XSS) when the send button is pressed. A similar bug was fixed in Moodle 3.5.2 (MDL-61359), but this version appears to have been introduced in 3.8.

      Steps to reproduce:

      1. Log in as a student.
      2. Open the messaging drawer, and open a conversation with yourself or another user.
      3. Paste the follwing into the messaging input:
        <script>alert(123)</script>
      4. Press send.
      5. See "123" appear in an alert popup on the sender's screen.

      Note: This has not been flagged as a security issue, as it is only executed on the sender's side, and only when the message is initially sent - the sender never re-executes the script, and the message is escaped before being shown to the recipient.

      Tested on 3.6, 3.7, 3.8 and master (3.9) - only 3.8 onwards appear to be affected.

       

      (Originally reported on SF case 00066905)

      Attachments

        Activity

          People

            tusefomal Ferran Recio
            michaelh Michael Hawkins
            Victor Déniz Falcón Victor Déniz Falcón
            Adrian Greeve Adrian Greeve
            Janelle Barcega Janelle Barcega
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 2 hours, 30 minutes
                2d 2h 30m

                Clockify

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.