[VIM] Moodle <= 1.8.4 Remote Code Execution Exploit
George A. Theall
theall at tenablesecurity.com
Tue Sep 9 17:05:53 UTC 2008
On Sep 8, 2008, at 5:43 AM, security curmudgeon wrote:
> BID 28599 is for kses multiple input validation vulns, but the
> discussion
> covers XSS and references previous BID 28424 and 28121.
The discussion under BID 28599 says PHP code execution is also
possible, as does the Bugtraq posting from Łukasz Pilorz referenced by
the BID:
http://www.securityfocus.com/archive/1/490402
> OSVDB 43677 covers the XSS weakness, but we didn't have an entry for
> the
> RFI (and to confirm, the $injection_points array is for each unique
> script
> vulnerable right?).
It's not a remote file include but rather code injection caused by
unsafe usage of the 'e' pattern modifier in a preg_replace() call.
Yes, the scripts and (POST) parameters listed in $injection_points in
Milw0rm 6356 represent attack vectors. But the actual issue lies in
kses_bad_protocol_once() in lib/kses.php. And that was addressed by
the Moodle team here:
http://moodle.org/mod/forum/discuss.php?d=95031
as BID 28599 notes.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list