[MDL-68443] Improve XMLDB path validation of included files - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.5.12, 3.6.10, 3.7.5, 3.8.2, 3.9
Fix Version/s: 3.7.6, 3.8.3
Component/s: Database SQL/XMLDB
Labels:

Testing Instructions:

Hide

1) Log in as admin

2) Go here are confirm that it still loads the xml file:

http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=%2Fadmin%2Ftool%2Fcohortroles%2Fdb%2Finstall.xml

3) Confirm that all of the following urls result in an exception:

http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=/lib/db/caches.php

http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=/lib/xmldb/xmldb_file.php

Show
1) Log in as admin 2) Go here are confirm that it still loads the xml file: http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=%2Fadmin%2Ftool%2Fcohortroles%2Fdb%2Finstall.xml 3) Confirm that all of the following urls result in an exception: http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=/lib/db/caches.php http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=/lib/xmldb/xmldb_file.php
Affected Branches:
MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
Fixed Branches:
MOODLE_37_STABLE, MOODLE_38_STABLE
Pull from Repository:
https://github.com/brendanheywood/moodle
Pull 3.5 Branch:
~~MDL-68443~~-xmldb-path-validation-MOODLE_35_STABLE
Pull 3.5 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_35_STABLE...brendanheywood:MDL-68443-xmldb-path-validation-MOODLE_35_STABLE
Pull 3.8 Branch:
~~MDL-68443~~-xmldb-path-validation-MOODLE_38_STABLE
Pull 3.8 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_38_STABLE...brendanheywood:MDL-68443-xmldb-path-validation-MOODLE_38_STABLE
Pull Master Branch:
~~MDL-68443~~-xmldb-path-validation
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...brendanheywood:MDL-68443-xmldb-path-validation

Description

We've had a pen test report back: Local File Inclusion (LFI) vulnerability was detected

The risk here is very low generally but in some edge cases is worse.

It allows an admin to view a class of files raw source which includes php files.

eg:

http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/xmldb/xmldb_file.php

http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/db/caches.php

In an extreme version IF by pure misfortune your www dir is something ending in the letters 'db' such as /var/www/learningdb/ then you can actually do this and grab all the db connection strings etc:

http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//config.php

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

image-2020-05-08-10-59-17-505.png
190 kB
08/May/20 10:59 AM

Activity

People

Assignee:: Brendan Heywood

Reporter:: Brendan Heywood

Peer reviewer:: Peter Burnett

Integrator:: Eloy Lafuente (stronk7)

Tester:: Janelle Barcega

Participants:: Brendan Heywood, CiBoT, Eloy Lafuente (stronk7), Janelle Barcega, Peter Burnett

Component watchers:: Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 17/Apr/20 2:16 PM

Updated:: 10/Jun/20 1:20 PM

Resolved:: 08/May/20 8:02 PM

Fix Release Date:: 11/May/20

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

44m