Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59451

Course module into should be filtered for XSS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Deferred
    • Icon: Minor Minor
    • None
    • 2.7.20, 3.0.10, 3.1.6, 3.2.3, 3.3
    • Course, General
    • None
    • MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
    • Hide

      1. Ensure trusted content is off. Or trusted content is on, but user does not have trusted content permission.

      2. Create new label in any course

      3. Print some text into intro.

      4. Switch intro editor to HTML mode

      5. Append following code

      <script type="text/javascript">// <![CDATA[
      ...// ]]></script>
      <p><iframe id="..." src="...." style="display: none;"></iframe></p>

      6. Save

      7.Edit label, ensure dangerous js code and iframe are still there.

      Show
      1. Ensure trusted content is off. Or trusted content is on, but user does not have trusted content permission. 2. Create new label in any course 3. Print some text into intro. 4. Switch intro editor to HTML mode 5. Append following code <script type="text/javascript">// <![CDATA[ ... // ]]></script> <p><iframe id="..." src="...." style="display: none;"></iframe></p> 6. Save 7.Edit label, ensure dangerous js code and iframe are still there.

      Currently course module into text for most modules is treated as RAW (see \course\moodleform_mod.php function standard_intro_element). So, it is not filtered as untrusted content.

      This leads to huge problem. User, that have editing rights (usually teacher) can catch virus on their browser. This virus appends some JS code to the end of every editor field on editing. So, editing user does not know about this problem, but infected course module intro begans showing ads or something more dangerous. So, after some time site can be blocked by antivirus for distributing adware or viruses

      In our cases most code, inserted by viruses looks like

      <script type="text/javascript">// <![CDATA[
      ...// ]]></script>
      <p><iframe id="..." src="...." style="display: none;"></iframe></p>

            Unassigned Unassigned
            vadimon Vadim Dvorovenko
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.