Moodle 'lib/kses.php' 'kses_bad_protocol_once' Function Arbitrary PHP Code Execution

high Nessus Plugin ID 34095

Synopsis

The remote web server contains a PHP application that allows remote execution of arbitrary code.

Description

The version of Moodle on the remote host includes a version of the KSES HTML filtering library that does not safely call 'preg_replace()' in the function 'kses_bad_protocol_once()' in 'lib/kses.php'. An unauthenticated, remote attacker can leverage this issue to inject arbitrary PHP code that will be executed subject to the privileges of the web server user id.

Note that there are also reportedly several cross-site scripting and HTML filtering bypass vulnerabilities in the version of the KSES library in use, although Nessus has not explicitly tested for them.

Solution

Upgrade to Moodle 1.8.5, 1.9, or any recent nightly 1.7.x or 1.6.x build.

See Also

https://moodle.org/mod/forum/discuss.php?d=95031

https://docs.moodle.org/35/en/Release_Notes#Moodle_1.8.5

Plugin Details

Severity: High

ID: 34095

File Name: moodle_kses_code_exec.nasl

Version: 1.23

Type: remote

Family: CGI abuses

Published: 9/5/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Required KB Items: www/PHP, installed_sw/Moodle

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Exploitable With

Elliot (Moodle <= 1.8.4 RCE)

Reference Information

BID: 28599

SECUNIA: 30986, 31017