Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 3.8
Affects Version/s: 3.8
Component/s: Filters, H5P
Labels:
- triaged

Affected Branches:
MOODLE_38_STABLE
Fixed Branches:
MOODLE_38_STABLE
Epic Link:
Tools to improve H5P content integration in Moodle

Testing Instructions:

Hide

Setup

Check in Site administration > Plugins > Filters > Manage filters 'Display H5P' filter is enabled and applied before 'Convert URLs into links and images' and 'Activity names auto-linking' filters.

Prerequisites:

Having multiple H5P content URLs:

Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this:

https://h5p.org/h5p/embed/[id]

https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id]

https://moodle.h5p.com/content/[id]/embed

https://moodle.h5p.com/content/[id]

Test 1

Check in Site administration > Plugins > Filters > Manage filters 'Convert URLs into links and images' filter is Disabled or, in case it is On, is ordered below Display H5P filter.
Create a course C1.
In course C1, add a Label anywhere.

In the Label text Atto editor, copy and paste the following text using the HTML/code view:

<div>1.valid URL: https://h5p.org/h5p/embed/580638</div>

<div>2.another valid URL: https://h5p.org/h5p/embed/6729</div>

<div>3.non valid URL: https://moodle.org</div>

<div>4.URL inside a link tag: <a href="https://h5p.org/h5p/embed/6729">link</a></div>

<div>5.paragraph with a valid URL https://h5p.org/h5p/embed/580638 inside</div>

<div>6.a valid URL ended by '/embed': https://moodle.h5p.com/content/1290729733828858779/embed</div>

<div>7.an h5p.com valid URL not ended by '/embed': https://moodle.h5p.com/content/1290729733828858779</div>

<div>8.an wordpress valid URL: https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=1</div>

Confirm that the H5P contents of 1, 2, 5, 6 and 7 are displayed.

Test 2

Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this:

https://h5p.org/h5p/embed/[id]

https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id]

https://*.h5p.com/content/[id]/embed

https://*.h5p.com/content/[id]

Go to label created in C1 course
Confirm that the H5P contents of 1, 2, 5 , 8 are displayed.
Confirm that the H5P contents of 6 and 7 are not displayed.

Tes3 - local files

As an admin navigate to 'Private files'
Create a folder with spaces in the name, e.g. 'Folder with spaces'.
Upload 'arithmetic-quiz-22-57860 (1).h5p' file to the folder
Navigate to Dashboard. Add 'Private files' block to your Dashboard.
Copy link address to 'arithmetic-quiz-22-57860 (1).h5p' file
In a course create a new label.
Add link address to 'arithmetic-quiz-22-57860 (1).h5p' file to 'Label text'
Save and return to course.
Make sure H5P content is rendered and working

Show

Setup Check in Site administration > Plugins > Filters > Manage filters 'Display H5P' filter is enabled and applied before 'Convert URLs into links and images' and 'Activity names auto-linking' filters. Prerequisites: Having multiple H5P content URLs: Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this: https://h5p.org/h5p/embed/[id] https://generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id] https://moodle.h5p.com/content/[id]/embed https://moodle.h5p.com/content/[id] Test 1 Check in Site administration > Plugins > Filters > Manage filters 'Convert URLs into links and images' filter is Disabled or, in case it is On, is ordered below Display H5P filter. Create a course C1. In course C1, add a Label anywhere. In the Label text Atto editor, copy and paste the following text using the HTML/code view : <div> 1 .valid URL: https: //h5p.org/h5p/embed/580638</div> <div> 2 .another valid URL: https: //h5p.org/h5p/embed/6729</div> <div> 3 .non valid URL: https: //moodle.org</div> <div> 4 .URL inside a link tag: <a href= "https://h5p.org/h5p/embed/6729" >link</a></div> <div> 5 .paragraph with a valid URL https: //h5p.org/h5p/embed/580638 inside</div> <div> 6 .a valid URL ended by '/embed' : https: //moodle.h5p.com/content/1290729733828858779/embed</div> <div> 7 .an h5p.com valid URL not ended by '/embed' : https: //moodle.h5p.com/content/1290729733828858779</div> <div> 8 .an wordpress valid URL: https: //generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=1</div> Confirm that the H5P contents of 1, 2, 5, 6 and 7 are displayed. Test 2 Go to Site administration > Plugins > Filters > Display H5P and, in "Allowed sources", add this: https: //h5p.org/h5p/embed/[id] https: //generic.wordpress.soton.ac.uk/altc/wp-admin/admin-ajax.php?action=h5p_embed&id=[id] https: //*.h5p.com/content/[id]/embed https: //*.h5p.com/content/[id] Go to label created in C1 course Confirm that the H5P contents of 1, 2, 5 , 8 are displayed. Confirm that the H5P contents of 6 and 7 are not displayed. Tes3 - local files As an admin navigate to 'Private files' Create a folder with spaces in the name, e.g. 'Folder with spaces'. Upload 'arithmetic-quiz-22-57860 (1).h5p' file to the folder Navigate to Dashboard. Add 'Private files' block to your Dashboard. Copy link address to 'arithmetic-quiz-22-57860 (1).h5p' file In a course create a new label. Add link address to 'arithmetic-quiz-22-57860 (1).h5p' file to 'Label text' Save and return to course. Make sure H5P content is rendered and working

Sprint:
H5P Sprint Relase 3.8

The H5P filter recently introduced allows an attacker to execute JavaScript, and embed content that does not meet the allowed sources requirements.

Pre-requisites

H5P filter enabled
Default allowed sources

Demonstration

The following URLs are examples of vulnerabilities, include those URLs anywhere where the filter is applied.

https://perdu%2Ecom#h5p.com/content/1

https://mydomain-h5p.com/content/1

https://mydomainh5p.com/content/1

https://"onload="alert(1)"h5p.com/content/1"

Explanation

The default allowed sources contain the following:

https://*.h5p.com/content/[id]

A regular expression is constructed from the allowed sources replacing the * character with the regex [\.]+. It also does not escape the . (periods) that are part of the allowed sources.

With that we can:

Use the URL code %2E to hide . (periods) which allows us to completely replace the domain of the URL (first exploit)
Buy our own domain that ends in h5p.com as the preceding . (period) is not escaped, and can be any character (2nd and 3rd exploits)
Inject HTML through the domain so long as it does not include a period (4th exploit)

You should consider having a bug bounty

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

arithmetic-quiz-22-57860 (1).h5p
731 kB
07/Nov/19 3:26 PM
Confirmed fixed.png
955 kB
08/Nov/19 9:36 AM
MDL-67110-master.patch
4 kB
07/Nov/19 12:51 AM
security_localfiles_alert.gif
804 kB
06/Nov/19 9:40 PM

Assignee:: Amaia Anabitarte

Reporter:: Frédéric Massart

Peer reviewer:: Mihail Geshoski

Integrator:: Sara Arjona (@sarjona)

Tester:: Gladys Basiana

Participants:: Amaia Anabitarte, Andrew Lyons, CiBoT, Frédéric Massart, Gladys Basiana, Mihail Geshoski, Sara Arjona (@sarjona)

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 01/Nov/19 11:56 AM

Updated:: 08/Nov/19 11:09 PM

Resolved:: 08/Nov/19 11:09 PM

Estimated:

Not Specified

Remaining:

Logged:

7h 15m

Details

Setup

Prerequisites:

Test 1

Test 2

Tes3 - local files

Description

Attachments

Attachments

Activity

People

Dates

Time Tracking

Clockify