Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting
Title: Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting
Advisory ID: ZSL-2015-5236
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 16.03.2015
PHP/5.4.22
[09.02.2015] Vendor informed.
[09.02.2015] Vendor assigns tracker issue as MDL-49144.
[10.02.2015] Vendor confirms the vulnerability.
[10.02.2015] Vendor working on fix.
[17.02.2015] Asked vendor for scheduled patch release date.
[17.02.2015] Vendor replies.
[02.03.2015] Vendor develops fix, review of fix integration started.
[05.03.2015] Fix tested and verified by vendor.
[09.03.2015] Vendor releases versions 2.6.9, 2.7.6 and 2.8.4 to address this issue.
[16.03.2015] Vendor releases security advisory MSA-15-0013.
[16.03.2015] Coordinated public security advisory released.
[2] https://tracker.moodle.org/browse/MDL-49144
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269
[4] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2269
[5] http://www.scip.ch/en/?vuldb.74008
[6] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101557
[7] http://www.exploit-db.com/exploits/36418/
[8] http://osvdb.org/show/osvdb/119617
[9] http://packetstormsecurity.com/files/130865
[10] http://cxsecurity.com/issue/WLB-2015030118
[17.03.2015] - Added reference [7] and [8]
[18.03.2015] - Added reference [9] and [10]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5236
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 16.03.2015
Summary
Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalised learning environments.Description
Moodle suffers from persistent XSS vulnerabilities. Input passed to the POST parameters 'config_title' and 'title' thru index.php, are not properly sanitized allowing the attacker to execute HTML or JS code into user's browser session on the affected site. Affected components: Blocks, Glossary, RSS and Tags.Vendor
Moodle Pty Ltd - https://www.moodle.orgAffected Version
2.8.3, 2.7.5, 2.6.8 and 2.5.9Tested On
nginxPHP/5.4.22
Vendor Status
[09.02.2015] Vulnerability discovered.[09.02.2015] Vendor informed.
[09.02.2015] Vendor assigns tracker issue as MDL-49144.
[10.02.2015] Vendor confirms the vulnerability.
[10.02.2015] Vendor working on fix.
[17.02.2015] Asked vendor for scheduled patch release date.
[17.02.2015] Vendor replies.
[02.03.2015] Vendor develops fix, review of fix integration started.
[05.03.2015] Fix tested and verified by vendor.
[09.03.2015] Vendor releases versions 2.6.9, 2.7.6 and 2.8.4 to address this issue.
[16.03.2015] Vendor releases security advisory MSA-15-0013.
[16.03.2015] Coordinated public security advisory released.
PoC
moodle_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://moodle.org/mod/forum/discuss.php?d=307383[2] https://tracker.moodle.org/browse/MDL-49144
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269
[4] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2269
[5] http://www.scip.ch/en/?vuldb.74008
[6] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101557
[7] http://www.exploit-db.com/exploits/36418/
[8] http://osvdb.org/show/osvdb/119617
[9] http://packetstormsecurity.com/files/130865
[10] http://cxsecurity.com/issue/WLB-2015030118
Changelog
[16.03.2015] - Initial release[17.03.2015] - Added reference [7] and [8]
[18.03.2015] - Added reference [9] and [10]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
