Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 3.5.12, 3.6.10, 3.7.5, 3.8.2, 3.9
-
Component/s: Database SQL/XMLDB
-
Labels:
-
Testing Instructions:
-
Affected Branches:MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
-
Fixed Branches:MOODLE_37_STABLE, MOODLE_38_STABLE
-
Pull from Repository:
-
Pull 3.5 Branch:
MDL-68443-xmldb-path-validation-MOODLE_35_STABLE -
Pull 3.8 Branch:
MDL-68443-xmldb-path-validation-MOODLE_38_STABLE -
Pull Master Branch:
MDL-68443-xmldb-path-validation
Description
We've had a pen test report back: Local File Inclusion (LFI) vulnerability was detected
The risk here is very low generally but in some edge cases is worse.
It allows an admin to view a class of files raw source which includes php files.
eg:
In an extreme version IF by pure misfortune your www dir is something ending in the letters 'db' such as /var/www/learningdb/ then you can actually do this and grab all the db connection strings etc:
http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//config.php