Code injections via moodle internal messenger possible?

Code injections via moodle internal messenger possible?

by Alexander Dominicus -
Number of replies: 3
Picture of Testers

Dear Moodler's,

I've just recognised the following:

When I insert some code into the moodle internal messenger this code seemed (!) to be executed


(Edited by Mary Cooch  to remove the code in accordance with Security procedures - original submission Thursday, 22 December 2022, 12:57 PM)

Average of ratings: -
In reply to Alexander Dominicus

Re: Code injections via moodle internal messenger possible?

by Gareth J Barnard -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers
Dear Alex,

I can replicate, but I don't think the code is being executed as given the message then it seems that 'item(0)' is 'null' on:

$html = $doc->getElementsByTagName('body')->item(0)->C14N(false, true);
in the 'prevent_unclosed_html_tags' method of '/message/classes/helper.php'.

G
Average of ratings: -
In reply to Gareth J Barnard

பதில்: Re: Code injections via moodle internal messenger possible?

by Alexander Dominicus -
Picture of Testers
Dear Gareth,
thank you very much for your reply!
So, maybe a code snippet is recognised as "media" (like e.g. HTML image). Since in the message overview the message is named as "other media".
Best,
Alex
Average of ratings: -
In reply to Alexander Dominicus

Re: பதில்: Re: Code injections via moodle internal messenger possible?

by Gareth J Barnard -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers
Hi Alex,

I think its seeing it as HTML, but perhaps not understanding the PHP syntax. But then again, PHP is a pre-processor that processes the combined HTML / PHP and converts its tags into HTML that the browser can understand. I don't know if it is recognised as media, I didn't look any further after finding the one place that C14N() is called.

Kind regards,

Gareth
Average of ratings: -