Moodle < 1.9.4 'filter/tex/texed.php' 'pathname' Parameter RCE

High Nessus Network Monitor Plugin ID 4788

Synopsis

The remote web server contains a PHP application that allows arbitrary command execution.

Description

The version of Moodle installed on the remote host fails to sanitize user-supplied input to the 'pathname' parameter before using it in the 'filter/tex/texed.php' script in a commandline that is passed to the shell. Provided PHP's 'register_globals' setting and the TeX Notation filter has both been enabled and PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated attacker can leverage these issues to execute arbitrary code on the remote host subject to the privileges of the web server user ID.

Solution

Disable PHP's 'register_globals' or upgrade to version 1.9.4 or higher.

See Also

http://www.securityfocus.com/archive/1/499172/30/0/threaded

Plugin Details

Severity: High

ID: 4788

File Name: 4788.prm

Family: CGI

Published: 2008/12/15

Modified: 2016/11/23

Dependencies: 8683

Nessus ID: 35090

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 2008/12/12

Vulnerability Publication Date: 2008/12/12

Reference Information

BID: 32801

OSVDB: 50810