Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68443

Improve XMLDB path validation of included files

    XMLWordPrintable

Details

    Description

      We've had a pen test report back: Local File Inclusion (LFI) vulnerability was detected

      The risk here is very low generally but in some edge cases is worse.

      It allows an admin to view a class of files raw source which includes php files.

      eg:

      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/xmldb/xmldb_file.php

      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/db/caches.php

      In an extreme version IF by pure misfortune your www dir is something ending in the letters 'db' such as /var/www/learningdb/ then you can actually do this and grab all the db connection strings etc:
       
      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//config.php

       

      Attachments

        Activity

          People

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Peter Burnett Peter Burnett
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Janelle Barcega Janelle Barcega
            David Woloszyn, Huong Nguyen, Jake Dallimore, Michael Hawkins, Stevani Andolo
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              11/May/20

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 44 minutes
                44m