XSS vulnerabilities

[cyrusrazavipt]

During routine vulnerability testing , our security team found an XSS vulnerability within the Adaptable Theme plugin. It appears the adaptable theme is too trusting of user data that is input into the user profile page.

Moodle allows for first names and last names that contain javascript tags, the adaptable theme then echoes these values out as part of the header where the user's name is shown and on the onmmouseover event.

We believe the issue is located here:

https://github.com/gjb2048/moodle-theme_adaptable/blob/1f232407c9f35223f026d69e283b2c8ac6af8a8c/templates/usermenu.mustache#L38

[gjb2048]

Dear @cyrusrazavipt,

Interesting. You say you 'believe' this is an issue, but do you have reproducible evidence that demonstrates this in a concreate and reliable fashion so that it's testable against? And is indeed it really Adaptable's issue or rather all to do with https://tracker.moodle.org/browse/MDL-76743?

G

[gjb2048]

Ok, given that this is generated by:

$username = format_string(fullname($USER));

using 'format_string', which calls 'clean_text' which has in its description:

 * Cleans raw text removing nasties.
 *
 * Given raw text (eg typed in by a user) this function cleans it up and removes any nasty tags that could mess up
 * Moodle pages through XSS attacks.

Then please do indicate how I can replicate the issue you're asserting.

[cyrusrazavipt]

Yes we have Burp Security Suite scans which seem to confirm the issue, as well as reproducibility in a live system.

If you add a javascript function to your firstname on user profile, then when you hover over your user menu in the upper right, the function should execute.

A sample JS function that we used to test this was: n04gy"onmouseover="alert(1)"mvy4w

[gjb2048]

@cyrusrazavipt Thanks, I can replicate now.

[gjb2048]

Interesting, ok, solution is:

title="{{username}}">

[cyrusrazavipt]

Hey, touching base with you , do you have any updates on when the fix you found will be applied to the current moodle-theme_adaptable github branch?

[gjb2048]

@cyrusrazavipt It already has been fixed in the M4.1 development version. It will be in the next release and backported at some point. Can't say exactly when, depends on when there is a release that justifies the effort and combined with other commits.

[cyrusrazavipt]

Acknowledged. We currently utilize the 39.1.6 (2020073113) branch for Moodle 3.9. Do you know if this branch will be updated at the same time as the 4.1 branch?

[gjb2048]

Dear @cyrusrazavipt, no, please see https://moodle.org/plugins/theme_adaptable for list of 'Current' versions.

[gjb2048]

Released for M3.11 to M4.1.

[cyrusrazavipt]

gjb2048, It seems that the fix applied to the adaptable theme used in Moodle 4.1 is not fixing the XSS issue, security scans were performed and the same java script string was used to reproduce and confirm the XSS issue is still present, could you take a look into this?

[gjb2048]

@cyrusrazavipt What version of the theme are you using please?

[cyrusrazavipt]

401.1.2

[gjb2048]

Strange, looks as if it could happen:

but no alert?

[gjb2048]

Ok, closer inspection:

so @cyrusrazavipt is this a 'false positive'?

[cyrusrazavipt]

This is a test performed on a website that currently has the moodle 4.1, adaptable theme version 401.1.2

[gjb2048]

@cyrusrazavipt What exact test data are you using please?

[cyrusrazavipt]

n04gy"onmouseover="alert(1)"mvy4w

[gjb2048]

@cyrusrazavipt Can't replicate as the quotes in the username are escaped:

Please confirm the same. I'm using version 401.1.6 which is in development but based upon 401.1.5 which has been released.

[gjb2048]

@cyrusrazavipt And double check the version:

[cyrusrazavipt]

should we be using version 401.1.5 instead of 401.1.2 for the adaptable theme? which latest version of moodle currently has 401.1.5?

[gjb2048]

@cyrusrazavipt 401.1.2 should be fine, I just want to be sure that you're running a version with the fix on the particular instance you say has the issue. What browser, version and OS are you running that has the issue?

[cyrusrazavipt]

Google Chrome Version 113.0.5672.93 (Official Build) (64-bit), Windows 11 latest build

[gjb2048]

@cyrusrazavipt Thanks. Please re-confirm the Adaptable version on the problem instance in the method requested.

[gjb2048]

@cyrusrazavipt Please re-confirm that this is still an issue on the Adaptable version you're running (screen shot of information tab please).

[gjb2048]

@cyrusrazavipt Please respond or I'll close the issue as fixed.

[cyrusrazavipt]

Apologies i didnt see these messages, currently not an issue anymore