Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-22388

Reporter says input not properly verified on various form scripts

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 1.9.9
    • 1.9.8
    • None
    • MOODLE_19_STABLE
    • MOODLE_19_STABLE

      As reported by eidelweiss@cyberservices.com via the moodle.org contact form:

      The Vulnerability in Moodle versions 1.9.8+ is:

      1. No sanitize , not defined and No Login require for:

      <?***
      require_once($CFG->libdir.'/formslib.php');
      ***?>

      2. Input passed to the "libdir" and "dirroot" parameter in multiple files is
      not properly verified before being used to include files. This can be exploited
      to execute arbitrary PHP code by including files from local or external
      resources (rfi) and also can be exploited to disclose full user names of other
      users (lfi).

            dougiamas Martin Dougiamas
            tsala Helen Foster
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.