
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
78 lines
2.7 KiB
Text
Executable file
78 lines
2.7 KiB
Text
Executable file
Moodle File Disclosure Vulnerability
|
|
|
|
Systems Affected Moodle series <1.6.9+, <1.7.7+, <1.8.9, <1.9.5
|
|
Severity Critical
|
|
Probability of being vulnerable Rather Low
|
|
Vendor http://moodle.org/
|
|
Filed Bug #MDL-18552
|
|
Author Christian J. Eibl
|
|
Date 20090327
|
|
|
|
I. BACKGROUND
|
|
|
|
Moodle is an open source (webbased) learning management system with
|
|
users all over the world in educational institutes, schools, or
|
|
companies. See vendor homepage for details.
|
|
|
|
II. DESCRIPTION
|
|
|
|
An input filter for TeX formulas can be exploited to disclose files
|
|
readable by the web server. This includes the moodle configuration
|
|
file with all authentication data and server locations for directly
|
|
connecting to backend database.
|
|
TeX filter by default is off and in case of being activated mostly no
|
|
complete LaTeX environment on a server system will be available.
|
|
|
|
III. DETECTION OF VULNERABILITY
|
|
|
|
Since Moodle 1.6 a complete LaTeX environment is preferred over the
|
|
shipped mimetex program for rendering TeX formulas to images that can
|
|
be included in HTML pages.
|
|
|
|
In any text input area, e.g., forum, type something like "$$ \jobname
|
|
$$" (without quotes). If the result looks like
|
|
- "$$ \jobname $$": TeX filter not activated
|
|
- "[jobname ?]": TeX filter activated, but mimetex used
|
|
- "a91dbb..." (hash): TeX filter active and LaTeX used (vuln.)
|
|
|
|
Since LaTeX per se is very powerful for file inclusion and even
|
|
writes, the vulnerability depends on LaTeX environment and its
|
|
configuration.
|
|
|
|
IV. EXPLOIT PoC
|
|
|
|
If LaTeX is not configured to restrict file inclusion (default!), then
|
|
absolute paths and relative ones can be used. As proof of concept
|
|
enter:
|
|
"$$ \input{/etc/passwd} $$"
|
|
|
|
In case the system is vulnerable, this will read the /etc/passwd file
|
|
and will render the contents to an image included in the text. Hence,
|
|
content is disclosed.
|
|
|
|
Rendering takes place in temporary folder by default which should not
|
|
be in the scope of the web server. Otherwise even arbitrary code could
|
|
be injected to compromise the whole web environment.
|
|
By using relative paths with background knowledge of Moodle's path
|
|
organization, it is easy to disclose the configuration file with
|
|
sensitive data.
|
|
|
|
V. WORKAROUND
|
|
|
|
Several alternatives:
|
|
1) deactivate TeX filter, if not needed
|
|
2) use more restrictive mimetex program for rendering
|
|
3) change LaTeX configuration (set "openin_any=p" for paranoid!)
|
|
|
|
... or upgrade to latest development version where patch should be
|
|
applied by now.
|
|
|
|
VI. TIMELINE
|
|
|
|
20090312 Bug discovered
|
|
20090313 Vendor contact / Bug filed (MDL-18552)
|
|
20090314 Response and confirmation by vendor
|
|
20090315 First patch proposed
|
|
20090327 Bug marked resolved and patch in tree
|
|
|
|
# milw0rm.com [2009-03-27]
|