Plugin ID | 95 |
Plugin name | Moodle up to 1.4 post.php cross site scripting |
Plugin filename | Moodle up to 1.4 post.php cross site scripting.plugin |
Plugin filesize | 3484 bytes |
Plugin family | CGI |
Plugin created name | Marc Ruef |
Plugin created email | marc dot ruef at computec dot ch |
Plugin created web | http://www.computec.ch |
Plugin created company | computec.ch |
Plugin created date | 2004/08/16 |
Plugin updated name | Marc Ruef |
Plugin updated email | marc dot ruef at computec dot ch |
Plugin updated web | http://www.computec.ch |
Plugin updated company | computec.ch |
Plugin updated date | 2004/11/13 |
Plugin version | 1.1 |
Plugin changelog | Corrected the plugin structure and added the accuracy values in 1.1 |
Plugin protocol | tcp |
Plugin port | 21 |
Plugin procedure exploit | open|sleep|send GET /post.php?reply=<script>document.write('ATK plugin to detect post.php flaw');</script> HTTP/1.0\n\n|sleep|close|pattern_exists plugin to detect post.php flaw |
Plugin exploit accuracy | 99 |
Plugin comment | Check is copied from the Nessus plugin (see Nessus ID listed in the sources). |
Bug published name | Javier Ubilla and Ariel |
Bug published date | 2004/08/06 |
Bug advisory | http://www.securityfocus.com/archive/1/661 |
Bug affected | Moodle up to 1.4 |
Bug not affected | Moodle newer than 1.4 |
Bug vulnerability class | Cross Site Scripting |
Bug description | The remote host is running the Moodle PHP suite. Moodle contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'reply' variable upon submission to the 'post.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Bug solution | The server should be deactivated or de-installed if not necessary. To make it harder to find the server the daemon could be configured to listen at another port (e.g. 2181). Try to prevent unwanted connection attempts by filtering traffic with firewalling. Update to the latest version of the affected software. |
Bug fixing time | Approx. 2 hours |
Bug exploit availability | Yes |
Bug exploit url | http://www.securityfocus.com/bid/10884/exploit/ |
Bug remote | Yes |
Bug local | Yes |
Bug severity | Medium |
Bug popularity | 4 |
Bug simplicity | 7 |
Bug impact | 6 |
Bug risk | 5 |
Bug Nessus risk | Medium |
Bug check tools | Nessus |
Source SecurityFocus BID | 10884 |
Source OSVDB ID | 8383 |
Source Nessus ID | 14257 |
Source Literature | Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X |
Source Misc. | http://www.computec.ch |