Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68443

Improve XMLDB path validation of included files

XMLWordPrintable

      We've had a pen test report back: Local File Inclusion (LFI) vulnerability was detected

      The risk here is very low generally but in some edge cases is worse.

      It allows an admin to view a class of files raw source which includes php files.

      eg:

      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/xmldb/xmldb_file.php

      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//..//lib/db/caches.php

      In an extreme version IF by pure misfortune your www dir is something ending in the letters 'db' such as /var/www/learningdb/ then you can actually do this and grab all the db connection strings etc:
       
      http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//config.php

       

        1. image-2020-05-08-10-59-17-505.png
          image-2020-05-08-10-59-17-505.png
          190 kB

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Peter Burnett Peter Burnett
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Janelle Barcega Janelle Barcega
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 44 minutes
                44m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.