[VIM] Moodle <= 1.8.4 Remote Code Execution Exploit

George A. Theall theall at tenablesecurity.com
Tue Sep 9 17:05:53 UTC 2008

On Sep 8, 2008, at 5:43 AM, security curmudgeon wrote:

> BID 28599 is for kses multiple input validation vulns, but the  
> discussion
> covers XSS and references previous BID 28424 and 28121.

The discussion under BID 28599 says PHP code execution is also  
possible, as does the Bugtraq posting from Łukasz Pilorz referenced by  
the BID:


> OSVDB 43677 covers the XSS weakness, but we didn't have an entry for  
> the
> RFI (and to confirm, the $injection_points array is for each unique  
> script
> vulnerable right?).

It's not a remote file include but rather code injection caused by  
unsafe usage of the 'e' pattern modifier in a preg_replace() call.

Yes, the scripts and (POST) parameters listed in $injection_points in  
Milw0rm 6356 represent attack vectors. But the actual issue lies in  
kses_bad_protocol_once() in lib/kses.php. And that was addressed by  
the Moodle team here:


as BID 28599 notes.

theall at tenablesecurity.com

More information about the VIM mailing list