Detections
Analytics

Moodle < 1.9.4 'filter/tex/texed.php' 'pathname' Parameter RCE

high Nessus Network Monitor Plugin ID 4788

Synopsis

The remote web server contains a PHP application that allows arbitrary command execution.

Description

The version of Moodle installed on the remote host fails to sanitize user-supplied input to the 'pathname' parameter before using it in the 'filter/tex/texed.php' script in a commandline that is passed to the shell. Provided PHP's 'register_globals' setting and the TeX Notation filter has both been enabled and PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated attacker can leverage these issues to execute arbitrary code on the remote host subject to the privileges of the web server user ID.

Solution

Disable PHP's 'register_globals' or upgrade to version 1.9.4 or higher.

See Also

http://www.securityfocus.com/archive/1/499172/30/0/threaded

Plugin Details

Severity: High

ID: 4788

Family: CGI

Published: 12/15/2008

Updated: 3/6/2019

Nessus ID: 35090

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 12/12/2008

Vulnerability Publication Date: 12/12/2008

Reference Information

BID: 32801