Moodle v4.2.10+ : Malicious File Upload (XSS in PDF)

Description:

# An Issue is discovered in Moodle v4.2.10+ (Build: 20241004)

# We have discovered a vulnerability that allows authenticated admin users or any users account has upload file privilege to upload PDF files containing malicious code (Stored Cross-Site Scripting) into the target system. If the PDF file is accessed through the website, it can trigger a Cross-Site Scripting (XSS) attack.

Affected Component:

http://[ip]/course/modedit.php?add=resource&type&course=2&section=0&return=0&sr=0&beforemod=0

Payload:

%PDF-1.7
        1 0 obj
        <</Pages 1 0 R /OpenAction 2 0 R>>
        2 0 obj
        <</S /JavaScript /JS (app.alert('xss test'))
        >> trailer <</Root 1 0 R>>

Proof of Concept:

First, login to the target application with admin or any account has upload file privilege.

Login to page as admin.

Then follow this step.

1. Enable Edit mode.
2. Select “My courses”.
3. Select our courses in scenario is “TestCourse”.

Select our courses.

Select “Add an activity or resource”.

Add and activity or resource.

Then, select “File”.

Secect File.

Then follow this step.

1. Create file name in scenario is “PDF File Upload”.
2. Select drag and drop file area.

Create new resource.

Then follow this step.

1. Select “Upload a file” menu.
2. Select the file you want to upload “xss-on-pdf.pdf”.
3. Click “Upload this file”.

Select pdf malicious file.

Notice upload pdf malicious file to the target is success and click “Save and display”

Save and display file to our courses.

Then, open “xss-on-pdf.pdf” file.

Open pdf file.

The XSS payload will run immediately.

Payload was execute on the target.

Author:

Grim The Ripper Team by SOSECURE Thailand.