| Topic: | design deficiency combined with incorrect use of format_string() allowing XSS |
| Severity: | Major |
| Versions affected: | < 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3 |
| Reported by: | Lars Vogdt |
| Issue no.: | MDL-15823 |
| Solution: | Update to latest releases or patch format_string() function 1.6.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.581.4.12&r2=1.581.4.13 1.7.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.674.2.35&r2=1.674.2.36 1.8.x http://cvs.moodle.org/moodle/lib/weblib.php?view=log&pathrev=MOODLE_18_STABLE 1.9.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.103&r2=1.970.2.104 |
Description:
Lars Vogdt reported a Cross Site Scripting (XSS) problem in one script, during the evaluation we have realised that several other places might be affected too. The problem was caused by combination of incorrect use of format_string() and previous design of this function. We have decided to prevent this and any similar problems in future by adding more sanitisation into format_string().