bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/8297.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

78 lines
2.7 KiB
Text
Executable file
Raw Blame History

Moodle File Disclosure Vulnerability
Systems Affected Moodle series <1.6.9+, <1.7.7+, <1.8.9, <1.9.5
Severity Critical
Probability of being vulnerable Rather Low
Vendor http://moodle.org/
Filed Bug #MDL-18552
Author Christian J. Eibl
Date 20090327
I. BACKGROUND
Moodle is an open source (webbased) learning management system with
users all over the world in educational institutes, schools, or
companies. See vendor homepage for details.
II. DESCRIPTION
An input filter for TeX formulas can be exploited to disclose files
readable by the web server. This includes the moodle configuration
file with all authentication data and server locations for directly
connecting to backend database.
TeX filter by default is off and in case of being activated mostly no
complete LaTeX environment on a server system will be available.
III. DETECTION OF VULNERABILITY
Since Moodle 1.6 a complete LaTeX environment is preferred over the
shipped mimetex program for rendering TeX formulas to images that can
be included in HTML pages.
In any text input area, e.g., forum, type something like "$$ \jobname
$$" (without quotes). If the result looks like
- "$$ \jobname $$": TeX filter not activated
- "[jobname ?]": TeX filter activated, but mimetex used
- "a91dbb..." (hash): TeX filter active and LaTeX used (vuln.)
Since LaTeX per se is very powerful for file inclusion and even
writes, the vulnerability depends on LaTeX environment and its
configuration.
IV. EXPLOIT PoC
If LaTeX is not configured to restrict file inclusion (default!), then
absolute paths and relative ones can be used. As proof of concept
enter:
"$$ \input{/etc/passwd} $$"
In case the system is vulnerable, this will read the /etc/passwd file
and will render the contents to an image included in the text. Hence,
content is disclosed.
Rendering takes place in temporary folder by default which should not
be in the scope of the web server. Otherwise even arbitrary code could
be injected to compromise the whole web environment.
By using relative paths with background knowledge of Moodle's path
organization, it is easy to disclose the configuration file with
sensitive data.
V. WORKAROUND
Several alternatives:
1) deactivate TeX filter, if not needed
2) use more restrictive mimetex program for rendering
3) change LaTeX configuration (set "openin_any=p" for paranoid!)
... or upgrade to latest development version where patch should be
applied by now.
VI. TIMELINE
20090312 Bug discovered
20090313 Vendor contact / Bug filed (MDL-18552)
20090314 Response and confirmation by vendor
20090315 First patch proposed
20090327 Bug marked resolved and patch in tree
# milw0rm.com [2009-03-27]
Reference in a new issue View git blame Copy permalink