Thor Larholm discovered that PHPMailer, as used by Moodle, did not correctly escape email addresses. A local attacker with direct access to the Moodle database could exploit this to execute arbitrary commands as the web server user. (CVE-2007-3215)

Nigel McNie discovered that fetching https URLs did not correctly escape shell meta-characters. An authenticated remote attacker could execute arbitrary commands as the web server user, if curl was installed and configured. (CVE-2008-4796, MSA-09-0003)

It was discovered that Smarty (also included in Moodle), did not correctly filter certain inputs. An authenticated remote attacker could exploit this to execute arbitrary PHP commands as the web server user. (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)

It was discovered that the unused SpellChecker extension in Moodle did not correctly handle temporary files. If the tool had been locally modified, it could be made to overwrite arbitrary local files via symlinks. (CVE-2008-5153)

Mike Churchward discovered that Moodle did not correctly filter Wiki page titles in certain areas. An authenticated remote attacker could exploit this to cause cross-site scripting (XSS), which could be used to modify or steal confidential data of other users within the same web domain. (CVE-2008-5432, MSA-08-0022)

It was discovered that the HTML sanitizer, 'Login as' feature, and logging in Moodle did not correctly handle certain inputs. An authenticated remote attacker could exploit this to generate XSS, which could be used to modify or steal confidential data of other users within the same web domain. (CVE-2008-5619, CVE-2009-0500, CVE-2009-0502, MSA-08-0026, MSA-09-0004, MSA-09-0007)

It was discovered that the HotPot module in Moodle did not correctly filter SQL inputs. An authenticated remote attacker could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service. (CVE-2008-6124, MSA-08-0010)

Kevin Madura discovered that the forum actions and messaging settings in Moodle were not protected from cross-site request forgery (CSRF).
If an authenticated user were tricked into visiting a malicious website while logged into Moodle, a remote attacker could change the user's configurations or forum content. (CVE-2009-0499, MSA-09-0008, MSA-08-0023)

Daniel Cabezas discovered that Moodle would leak usernames from the Calendar Export tool. A remote attacker could gather a list of users, leading to a loss of privacy. (CVE-2009-0501, MSA-09-0006)

Christian Eibl discovered that the TeX filter in Moodle allowed any function to be used. An authenticated remote attacker could post a specially crafted TeX formula to execute arbitrary TeX functions, potentially reading any file accessible to the web server user, leading to a loss of privacy. (CVE-2009-1171, MSA-09-0009)

Johannes Kuhn discovered that Moodle did not correctly validate user permissions when attempting to switch user accounts. An authenticated remote attacker could switch to any other Moodle user, leading to a loss of privacy. (MSA-08-0003)

Hanno Boeck discovered that unconfigured Moodle instances contained XSS vulnerabilities. An unauthenticated remote attacker could exploit this to modify or steal confidential data of other users within the same web domain. (MSA-08-0004)

Debbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra Montesinos discovered that when users were deleted from Moodle, their profiles and avatars were still visible. An authenticated remote attacker could exploit this to store information in profiles even after they were removed, leading to spam traffic. (MSA-08-0015, MSA-09-0001, MSA-09-0002)

Lars Vogdt discovered that Moodle did not correctly filter certain inputs. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. (MSA-08-0021)

It was discovered that Moodle did not correctly filter inputs for group creation, mnet, essay question, HOST param, wiki param, and others. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. (MDL-9288, MDL-11759, MDL-12079, MDL-12793, MDL-14806)

It was discovered that Moodle did not correctly filter SQL inputs when performing a restore. An attacker authenticated as a Moodle administrator could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service.
(MDL-11857).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

リモートホストは、PHPで書かれたWebベースのIMAPクライアントのRoundCube Webmailを実行しています。 

リモートホストにインストールされているRoundCube Webmailのバージョンでは、chuggnutt.comからの組み込みhtml2text変換ライブラリを介して任意のコマンドを実行できます。特別に細工されたPOSTリクエストを使用して、認証されていないリモート攻撃者が、この問題を利用して、 Webサーバーが動作する権限に従って、影響を受けるホストで任意のPHPコードを実行する可能性があります。

遠端主機正在執行 RoundCube Webmail，這是一個以 PHP 編寫的 Web IMAP 用戶端。 

遠端主機上安裝的 RoundCube Webmail 版本允許透過 chuggnutt.com 的內嵌 html2text 轉換程式庫執行任意命令。若使用特製的 POST 要求，未驗證的遠端攻擊者可利用此問題，在受影響主機上執行需要 Web 伺服器操作權限的任意 PHP 程式碼。

The remote host is running RoundCube Webmail, a web-based IMAP client written in PHP. 

The version of RoundCube Webmail installed on the remote host allows execution of arbitrary commands via the embedded html2text conversion library from chuggnutt.com.  Using a specially crafted POST request, an unauthenticated, remote attacker can leverage this issue to execute arbitrary PHP code on the affected host subject to the privileges under which the web server operates.

Entry for CVE-2008-5619 says :

html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.

Fix for code injection vulnerability.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	名前	製品	ファミリー	公開日	更新日	深刻度
39516	Ubuntu 8.04 LTS / 8.10 : moodle vulnerabilities (USN-791-1)	Nessus	Ubuntu Local Security Checks	2009/6/25	2021/1/19	critical
35273	RoundCube Webmail bin/html2text.php PostリクエストのリモートPHPコードの実行	Nessus	CGI abuses	2008/12/26	2022/4/11	high
35273	RoundCube Webmail bin/html2text.php Post 要求遠端 PHP 程式碼執行	Nessus	CGI abuses	2008/12/26	2022/4/11	high
35273	RoundCube Webmail bin/html2text.php Post Request Remote PHP Code Execution	Nessus	CGI abuses	2008/12/26	2022/4/11	high
35285	FreeBSD : roundcube -- remote execution of arbitrary code (8f483746-d45d-11dd-84ec-001fc66e7203)	Nessus	FreeBSD Local Security Checks	2009/1/2	2021/1/6	critical
35095	Fedora 8 : roundcubemail-0.2-4.beta.fc8 (2008-11220)	Nessus	Fedora Local Security Checks	2008/12/15	2021/1/11	critical
35098	Fedora 9 : roundcubemail-0.2-4.beta.fc9 (2008-11234)	Nessus	Fedora Local Security Checks	2008/12/15	2021/1/11	critical

検出

プラグインの検索

critical

high

high

high

critical

critical

critical