[VIM] Moodle <= 1.8.4 Remote Code Execution Exploit

[security curmudgeon]

On Fri, 5 Sep 2008, George A. Theall wrote:

: FYI, while looking into milw0rm 6356, I notice the underlying issue is in the
: KSES library it uses. The project addressed the issue earlier this year; eg,
: 
:  http://moodle.org/mod/forum/discuss.php?d=95031
:  http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.2.2&r2=1.3.2.3
: 
: SecurityFocus created BID 30995 for the issues covered by milw0rm 6356, 
: yet they also have BID 28599, which covers the code execution issue in 
: KSES as well as a couple of other issues, so 30995 would seem to be a 
: dup.

BID 30995 is for multiple remote file inclusions in Moodle and references 
the milw0rm exploit under 'exploit' (well, not reference, copies the code 
from?). I assume this is KSES based code based on the /lib/kses.php 
reference.

BID 28599 is for kses multiple input validation vulns, but the discussion 
covers XSS and references previous BID 28424 and 28121.

OSVDB 43677 covers the XSS weakness, but we didn't have an entry for the 
RFI (and to confirm, the $injection_points array is for each unique script 
vulnerable right?). We will make one to cover this and cross-ref Milw0rm 
6356 / BID 30995.

Based on the two BIDs, they don't seem to be a dupe to me though as one is 
for RFI, the other for XSS?