unclear CSS - attack

unclear CSS - attack

by Bjarne Oldsen -
Number of replies: 4


Hi all,


at the moment we are a running Moodle site, which is hosted by 

Chinese partner because of joint venture with our company.


Now the Chinese Operator threatened to close down our site,

because according to his scanner the search.php in combination

with "mouseover" there could be a css - attack. I attached a 

screenshot with the scan output. However, I can't figure out

what is a risk here and more important how to fix it.


I don't know wether, it is a  real moodle bug. I need a fix, hack or so

in order to keep the scanner silent here...

Can you get me started on how to do that ? 


Many Thanks!

Cheers,


Bjarne

Attachment css_bug.png
Average of ratings: -
In reply to Bjarne Oldsen

Re: unclear CSS - attack

by Bjarne Oldsen -

....what I can imagine is , that the link could generate


a  mouseover, which could execute Javascript.

Or does it interpret this input- JS somewhere else ?


Some basic steps are outlined here:

https://docs.moodle.org/dev/Security:Cross-site_scripting#Cleaning_input



Non-the-less I need hands-on info on how to protect the

site here. Do I have to sanitize separators ?

I’m still clues ...

Is it a browser issue ? old internet explorer versions?

What is the basic danger scenario here?



Any hints, info would be great!


Best,


Bjarne


Average of ratings: -
In reply to Bjarne Oldsen

Re: unclear CSS - attack

by James McLean -

Which version of Moodle are you using? If it's an old version, updating to a supported version would be advised.

I've had a play with this in recent 3.1 and 3.3, neither are directly vulnerable. If you're running a recent supported version, and if you can trigger the vulnerability manually (outlined below), then please submit a tracker item making sure to select security issue.

To trigger this manually, access the URL in the report; once the page loads and you hover over the search field at the bottom of the page, if the confirm box pops up, you're vulnerable. If it doesn't and you see the confirm code inside the search field, it's a false positive.

Average of ratings: -
In reply to James McLean

Re: unclear CSS - attack

by Bjarne Oldsen -

Hi James,


thanks for your answer. We are running Moodle 2.9.8.

When I trigger it manually by opening the link in the browser I get a search field in the middle of the page (adaptable theme).

I can hover the search field without getting a popup.   Inside the seachbox I can see some plain javascript code (see attachment) but without tags of course. So IMHO it's not interpreted. no vulnerability given here.


hope you'd like to add something.


Best Regards,

Bjarne 


Attachment Bildschirmfoto 2017-11-07 um 12.16.29.png
Average of ratings: -
In reply to Bjarne Oldsen

Re: unclear CSS - attack

by Ralf Hilgenstock -
Picture of Core developers Picture of Translators

Hi Bjarne

your hoster should upgrade the site to 3.1. LTS version or 3.3 or 3.4. These versions are maintained.

ralf

Average of ratings: -