-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
3.9.23, 3.11.16, 4.0.10, 4.1.5, 4.2.2
-
MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
We need to escape the name variable in the XMLDB editor delete functionality, as a precautionary defence in depth measure and to avoid any risk in future.
Note: This has been marked security benefit, as it requires the user's sesskey in order to execute any JS (so is currently self-XSS only). We should still fix this, to increase security and avoid any future risk if anything changes in the relevant page.
The example provided related to the delete functionality, but we should check all relevant CRUD operations to ensure they are all handled similarly.
Steps to reproduce:
- Go to Site administration > Developer > XMLDB editor
- Click an arbitrary Edit
- Click an arbitrary Edit
- Click an arbitrary Delete
- Change url's name variable to: %22%20onclick=%22alert(1)%22%20onsubmit=event.preventDefault()%20style=%22display:block; So the whole url now (you need to input your sesskey in the relevant place): /admin/tool/xmldb/index.php?action=delete_field&sesskey=SESSKEY&field=severity&table=%22%20onclick=%22alert(1)%22%20onsubmit=event.preventDefault()%20style=%22display:block;&dir=%2Fadmin%2Ftool%2Fbrickfield%2Fdb image-2023-07-29T13:32:33.073Z.png
Click Yes or No image-2023-07-29T13:32:41.917Z.png - Confirm you see an alert.
Note: This was originally reported via BC submission 4d490883-bbaf-4c3d-9369-18755a4c24d8, which was closed as informational as this is being raised as a general bug.