Moodle 'filter/tex/texed.php' 'pathname' Parameter Remote Command Execution

medium Nessus Plugin ID 35090

Synopsis

The remote web server contains a PHP application that allows arbitrary command execution.

Description

The version of Moodle installed on the remote host fails to sanitize user-supplied input to the 'pathname' parameter before using it in the 'filter/tex/texed.php' script in a commandline that is passed to the shell. Provided that PHP's 'register_globals' setting and the TeX Notation filter has both been enabled and PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated attacker can leverage these issues to execute arbitrary code on the remote host subject to the privileges of the web server user id.

Solution

Disable PHP's 'register_globals'.

See Also

https://www.securityfocus.com/archive/1/499172/30/0/threaded

Plugin Details

Severity: Medium

ID: 35090

File Name: moodle_tex_filter_get_cmd_exec.nasl

Version: 1.22

Type: remote

Family: CGI abuses

Published: 12/14/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Required KB Items: www/PHP, installed_sw/Moodle

Exploit Ease: No known exploits are available

Exploited by Nessus: true

Exploitable With

Elliot (Moodle Tex Notification RCE)

Reference Information

BID: 32801