← Advisories

Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting

Medium
Advisory ID
ZSL-2015-5236
Release Date
16 March 2015
Vendor
Moodle Pty Ltd - https://www.moodle.org
Affected Version
2.8.3, 2.7.5, 2.6.8 and 2.5.9
CVE
CVE-2015-2269
Tested On
nginx, PHP/5.4.22
Summary

Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalised learning environments.

Description

Moodle suffers from persistent XSS vulnerabilities. Input passed to the POST parameters 'config_title' and 'title' thru index.php, are not properly sanitized allowing the attacker to execute HTML or JS code into user's browser session on the affected site. Affected components: Blocks, Glossary, RSS and Tags.

Proof of Concept
moodle_xss.txtTXT
Disclosure Timeline
09.02.2015Vulnerability discovered.
09.02.2015Vendor informed.
09.02.2015Vendor assigns tracker issue as MDL-49144.
10.02.2015Vendor confirms the vulnerability.
10.02.2015Vendor working on fix.
17.02.2015Asked vendor for scheduled patch release date.
17.02.2015Vendor replies.
02.03.2015Vendor develops fix, review of fix integration started.
05.03.2015Fix tested and verified by vendor.
09.03.2015Vendor releases versions 2.6.9, 2.7.6 and 2.8.4 to address this issue.
16.03.2015Vendor releases security advisory MSA-15-0013.
16.03.2015Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://moodle.org/mod/forum/discuss.php?d=307383
[2]https://tracker.moodle.org/browse/MDL-49144
[3]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269
[4]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2269
[5]http://www.scip.ch/en/?vuldb.74008
[6]https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101557
[7]http://www.exploit-db.com/exploits/36418/
[8]http://osvdb.org/show/osvdb/119617
[9]http://packetstormsecurity.com/files/130865
[10]http://cxsecurity.com/issue/WLB-2015030118
Changelog
16.03.2015Initial release
17.03.2015Added reference [7] and [8]
18.03.2015Added reference [9] and [10]