Sometimes users face a problem while uploading files to Moodle version 1910.
the IPS detect this as a worm “PhpInclude Worm”.
Does moodle code containing "require()" or "include()" functions properly sanitize the user input?
Do we consider this message from IPS as a false positive?
Anyone face this problem?
Moodle works very hard to sanitise all values passed to require or include.
Can we 100% guarantee that we have not forgotten one somewhere? No. But the Moodle code is reviewed a lot.
Do you have a more specific message from whatever testing tool this is? Which file in the Moodle codebase does it object to?
Dear Tim,
I read this morning some logs from the firewall and it blocked
- add a resource- link to a file or webpage while user was attempting to upload and link a file
- modifying questions for a quiz
I need to make sure that these modules are well sanitized before i consider this as false positive. IPS is considering this activity similar to PHP File Inclusion worm.
I appreciate your feedback on this.
regards,
amer
Editing quiz questions is handled by question/question.php. The URL parameter that causes the problem is normally returnurl. If you look at the code: http://git.moodle.org/gw?p=moodle.git;a=blob;f=question/question.php;h=00414134b6fedae2011c8ff16694d9dd09f55ce0;hb=HEAD you will see that is cleaned using PARAM_LOCALURL, which is correct.
I am not really sure what it would be objecting to in course/modedit.php, which is what handles adding a resource. http://git.moodle.org/gw?p=moodle.git;a=blob;f=course/modedit.php;h=cd84c00b7e6f1041ab41cc1d2bf315277f8076e8;hb=HEAD
