95 Moodle up to 1.4 post.php cross site scripting CGI 2004/08/16 Marc Ruef marc dot ruef at computec dot ch http://www.computec.ch computec.ch Marc Ruef marc dot ruef at computec dot ch http://www.computec.ch computec.ch 2004/11/13 1.1 Corrected the plugin structure and added the accuracy values in 1.1 tcp 21 open|sleep|send GET /post.php?reply= HTTP/1.0\n\n|sleep|close|pattern_exists plugin to detect post.php flaw 99 Check is copied from the Nessus plugin (see Nessus ID listed in the sources). Javier Ubilla and Ariel 2004/08/06 http://www.securityfocus.com/archive/1/661 Moodle up to 1.4 Moodle newer than 1.4 Cross Site Scripting The remote host is running the Moodle PHP suite. Moodle contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'reply' variable upon submission to the 'post.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. The server should be deactivated or de-installed if not necessary. To make it harder to find the server the daemon could be configured to listen at another port (e.g. 2181). Try to prevent unwanted connection attempts by filtering traffic with firewalling. Update to the latest version of the affected software. Approx. 2 hours Yes http://www.securityfocus.com/bid/10884/exploit/ Yes Yes Medium 4 7 6 5 Medium Nessus 10884 8383 14257 Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X http://www.computec.ch