Moodle LMS Jmol Plugin Path Traversal Vulnerability

A path traversal vulnerability has been identified in the Jmol plugin for Moodle LMS, affecting versions through 6.1. The vulnerability arises in the jsmol.php file, where user input is directly passed to the file_get_contents() function without adequate validation. This flaw allows attackers to read arbitrary files from the server's filesystem by crafting a malicious query. The vulnerability can be exploited without authentication, potentially exposing sensitive configuration data such as database credentials.

Impact

Exploitation of this vulnerability allows for unauthorized access to files on the server, including sensitive information like database credentials. While the vulnerability does not directly allow for code execution, access to certain files could facilitate further attacks.

Reproduction

The vulnerability can be reproduced by sending a request to the jsmol.php file with a crafted query parameter that includes the path of a file to be read. This can be done using the 'getRawDataFromDatabase' call, which will return the contents of the specified file. Additionally, the plugin is vulnerable to reflected cross-site scripting, which can be exploited by injecting JavaScript into certain parameters that are not properly sanitized.

Remediation

Users are advised to uninstall the Jmol plugin from the Moodle Site Administration interface. Ensure that the uninstallation removes the plugin directory from the web server's filesystem, as simply disabling the plugin does not stop the vulnerable PHP scripts from being accessed.