Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-79154

Escape name variable in XMLDB editor

XMLWordPrintable

    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE

      We need to escape the name variable in the XMLDB editor delete functionality, as a precautionary defence in depth measure and to avoid any risk in future.

      Note: This has been marked security benefit, as it requires the user's sesskey in order to execute any JS (so is currently self-XSS only). We should still fix this, to increase security and avoid any future risk if anything changes in the relevant page.

      The example provided related to the delete functionality, but we should check all relevant CRUD operations to ensure they are all handled similarly.

      Steps to reproduce:

      1. Go to Site administration > Developer > XMLDB editor
      2. Click an arbitrary Edit
      3. Click an arbitrary Edit
      4. Click an arbitrary Delete
      5. Change url's name variable to: %22%20onclick=%22alert(1)%22%20onsubmit=event.preventDefault()%20style=%22display:block; So the whole url now (you need to input your sesskey in the relevant place): /admin/tool/xmldb/index.php?action=delete_field&sesskey=SESSKEY&field=severity&table=%22%20onclick=%22alert(1)%22%20onsubmit=event.preventDefault()%20style=%22display:block;&dir=%2Fadmin%2Ftool%2Fbrickfield%2Fdb image-2023-07-29T13:32:33.073Z.png
        Click Yes or No image-2023-07-29T13:32:41.917Z.png
      6. Confirm you see an alert.

      Note: This was originally reported via BC submission 4d490883-bbaf-4c3d-9369-18755a4c24d8, which was closed as informational as this is being raised as a general bug.

            Unassigned Unassigned
            michaelh Michael Hawkins
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.