-----BEGIN PGP SIGNED MESSAGE-----
PR08-15: Several Webroot Disclosures on Moodle
Vulnerability found: 20/06/2008
Vendor informed: 25/06/2008
Vulnerability fixed: 16/07/2008
Advisory publicly released: 22/07/2008
Moodle 1.6.5 is vulnerable to several webroot disclosures. No
authentication is required to obtain the webroot paths.
Proof of concept:
Fatal error: Class 'page_base' not found in
/Volumes/<dir_name>/data/moodle/blog/blogpage.php on line 9
Fatal error: Call to undefined function get_courses() in
/Volumes/<dir_name>/data/moodle/course/report/stats/report.php on line 3
Server: Apache/2.2.2 (Unix) PHP/5.2.1 mod_ssl/2.2.2 OpenSSL/0.9.7l
Moodle 1.6.5 + (2006050550)
Note: Moodle reveals its version within HTML source code. i.e.: <a
title="moodle 1.6.5 + (2006050550)" href="http://moodle.org/">
Information about the target environment can be extracted.
Disable display_errors in PHP configuration; A new warning for
administrators has been added in versions 1.8.6 and 1.9.2.
This issue has been tracked as MDL-15413.
Credits: Richard Brain of ProCheckUp Ltd. (www.procheckup.com)
ProCheckUp would like to thank Petr Skoda and the rest of the Moodle
team for their excellent response time and cooperation towards resolving
Copyright 2008 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----