Moodle < 1.9.4 'filter/tex/texed.php' 'pathname' Parameter RCE
High Nessus Network Monitor Plugin ID 4788
SynopsisThe remote web server contains a PHP application that allows arbitrary command execution.
DescriptionThe version of Moodle installed on the remote host fails to sanitize user-supplied input to the 'pathname' parameter before using it in the 'filter/tex/texed.php' script in a commandline that is passed to the shell. Provided PHP's 'register_globals' setting and the TeX Notation filter has both been enabled and PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated attacker can leverage these issues to execute arbitrary code on the remote host subject to the privileges of the web server user ID.
SolutionDisable PHP's 'register_globals' or upgrade to version 1.9.4 or higher.