95
Moodle up to 1.4 post.php cross site scripting
CGI
2004/08/16
Marc Ruef
marc dot ruef at computec dot ch
http://www.computec.ch
computec.ch
Marc Ruef
marc dot ruef at computec dot ch
http://www.computec.ch
computec.ch
2004/11/13
1.1
Corrected the plugin structure and added the accuracy values in 1.1
tcp
21
open|sleep|send GET /post.php?reply=document.write('ATK plugin to detect post.php flaw'); HTTP/1.0\n\n|sleep|close|pattern_exists plugin to detect post.php flaw
99
Check is copied from the Nessus plugin (see Nessus ID listed in the sources).
Javier Ubilla and Ariel
2004/08/06
http://www.securityfocus.com/archive/1/661
Moodle up to 1.4
Moodle newer than 1.4
Cross Site Scripting
The remote host is running the Moodle PHP suite. Moodle contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'reply' variable upon submission to the 'post.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
The server should be deactivated or de-installed if not necessary. To make it harder to find the server the daemon could be configured to listen at another port (e.g. 2181). Try to prevent unwanted connection attempts by filtering traffic with firewalling. Update to the latest version of the affected software.
Approx. 2 hours
Yes
http://www.securityfocus.com/bid/10884/exploit/
Yes
Yes
Medium
4
7
6
5
Medium
Nessus
10884
8383
14257
Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, D黶seldorf, ISBN 381582284X
http://www.computec.ch
