Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68443

Improve XMLDB path validation of included files

    XMLWordPrintable

    Details

      Description

      We've had a pen test report back: Local File Inclusion (LFI) vulnerability was detected

      The risk here is very low generally but in some edge cases is worse.

      It allows an admin to view a class of files raw source which includes php files.

      eg:

      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/xmldb/xmldb_file.php

      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/db/caches.php

      In an extreme version IF by pure misfortune your www dir is something ending in the letters 'db' such as /var/www/learningdb/ then you can actually do this and grab all the db connection strings etc:
       
      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//config.php

       

        Attachments

          Activity

            People

            Assignee:
            brendanheywood Brendan Heywood
            Reporter:
            brendanheywood Brendan Heywood
            Peer reviewer:
            Peter Burnett
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            Janelle Barcega
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              11/May/20

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 44 minutes
                44m