SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Moodle Vendors:   moodle.org
Moodle Glosary Module Input Validation Holes May Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1012113
SecurityTracker URL:  http://securitytracker.com/id/1012113
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 8 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.4.2
Description:   Some input validation vulnerabilities were reported in Moodle in the glossary module. A remote user may be able to inject SQL commands.

The vendor reported that some script parameters are not properly validated. The glossary module does not properly validate the hook parameter and the glossary id parameter, both of which are used in 'sql.php' in crafting an SQL query. A remote user may be able to supply specially crafted input to execute SQL commands on the underlying database.

Petr Skoda is credited with discovering these flaws.

Impact:   A remote user may be able to execute SQL commands on the underlying database.
Solution:   The vendor has issued a fixed version (1.4.2), available at:

http://moodle.org/mod/resource/view.php?id=2958

Vendor URL:  www.moodle.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC