[VIM] Moodle issue - invalid vendor ack? and extra vulns
George A. Theall
theall at tenablesecurity.com
Tue Sep 19 20:04:12 EDT 2006
Steven M. Christey wrote:
> But the Moodle changelog for 1.6.2 here:
>
> http://docs.moodle.org/en/Release_notes#Moodle_1.6.2
>
> does not provide sufficient details to match up with the original
> disclosure,
Are you referring to Omid's posting -
<http://www.securityfocus.com/archive/1/446227/30/0/threaded>? That was
indeed fixed in 1.6.2. The problem lies in 'do_save()' in blob/edit.php
- an authenticated attacker can manipulate database queries via the
'format' parameter of the script. With the help of some debugging
statements I added, I could see that the supplied value was being passed
to '_adodb_column_sql()' in 'lib/adodb/adodb-lib.inc.php' with 'type'
equal to 'I', and in 1.6.1, the value was used as-is, without being
restricted to an int.
> It also mentions other security issues, but most of the items are
> terse and some might be enhancements instead of vulns.
>
> Has anybody investigated further?
The 'course/jumpto.php' issue exists too. It might be possible to
leverage that to conduct XSS attacks against an install, but I'm not sure.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list