-
Bug
-
Resolution: Fixed
-
Minor
-
3.5.12, 3.6.10, 3.7.5, 3.8.2, 3.9
-
MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
-
MOODLE_37_STABLE, MOODLE_38_STABLE
-
MDL-68443-xmldb-path-validation -
We've had a pen test report back: Local File Inclusion (LFI) vulnerability was detected
The risk here is very low generally but in some edge cases is worse.
It allows an admin to view a class of files raw source which includes php files.
eg:
In an extreme version IF by pure misfortune your www dir is something ending in the letters 'db' such as /var/www/learningdb/ then you can actually do this and grab all the db connection strings etc:
http://moodle.local/admin/tool/xmldb/index.php?action=view_xml&file=..//..//..//config.php