VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026

CVE-2015-1493

CVE-2015-1493

Description

Directory traversal vulnerability in the min_get_slash_argument function in lib/configonlylib.php in Moodle through 2.5.9, 2.6.x before 2.6.8, 2.7.x before 2.7.5, and 2.8.x before 2.8.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading PHP scripts.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
< 2.6.82.6.8
moodle/moodlePackagist
>= 2.7.0, < 2.7.52.7.5
moodle/moodlePackagist
>= 2.8.0, < 2.8.32.8.3

Affected products

27
  • Moodle/Moodle27 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 26 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
    • cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*

Patches

4
cc496f5b27d3

MDL-48980 Security: Always clean the result from min_get_slash_argument

https://github.com/moodle/moodleDamyon WieseJan 27, 2015via ghsa
commit
2 files changed · +18 6
  • lib/configonlylib.php+6 4 modified
    @@ -171,15 +171,16 @@ function min_enable_zlib_compression() {
  * @return string
  */
 function min_get_slash_argument() {
-    // Note: This code has to work in the same cases as normal get_slash_argument(),
+    // Note: This code has to work in the same cases as normal get_file_argument(),
     //       but at the same time it may be simpler because we do not have to deal
     //       with encodings and other tricky stuff.
 
     $relativepath = '';
 
     if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) {
-        // server is using url rewriting, most probably IIS
-        return $_GET['file'];
+        // Server is using url rewriting, most probably IIS.
+        // Always clean the result of this function as it may be used in unsafe calls to send_file.
+        return min_clean_param($_GET['file'], 'SAFEPATH');
 
     } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) {
         if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') {
@@ -197,5 +198,6 @@ function min_get_slash_argument() {
         $relativepath = $matches[1];
     }
 
-    return $relativepath;
+    // Always clean the result of this function as it may be used in unsafe calls to send_file.
+    return min_clean_param($relativepath, 'SAFEPATH');
 }
  • lib/tests/configonlylib_test.php+12 2 modified
    @@ -89,11 +89,11 @@ public function test_min_optional_param() {
     /**
      * Test fail-safe minimalistic slashargument processing.
      */
-    public function min_get_slash_argument() {
+    public function test_min_get_slash_argument() {
         global $CFG;
 
         $this->resetAfterTest();
-        $this->assertEquals('http://www.example.com/moode', $CFG->wwwroot);
+        $this->assertEquals('http://www.example.com/moodle', $CFG->wwwroot);
 
         $_SERVER = array();
         $_SERVER['SERVER_SOFTWARE'] = 'Apache/2.2.22 (Unix)';
@@ -140,5 +140,15 @@ public function min_get_slash_argument() {
         $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
         $_GET = array();
         $this->assertSame('/standard/core/5/u/f1', min_get_slash_argument());
+
+        $_SERVER = array();
+        $_SERVER['SERVER_SOFTWARE'] = 'Hacker server';
+        $_SERVER['QUERY_STRING'] = '';
+        $_SERVER['REQUEST_URI'] = '/moodle/theme/image.php/standard/core/5/u/f1';
+        $_SERVER['PATH_INFO'] = '/moodle/theme/image.php/standard\\core/..\\../5/u/f1';
+        $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
+        $_GET = array();
+        // Windows dir separators are removed, multiple ... gets collapsed to one .
+        $this->assertSame('/standardcore/./5/u/f1', min_get_slash_argument());
     }
 }
0289be1321ba

MDL-48980 Security: Always clean the result from min_get_slash_argument

https://github.com/moodle/moodleDamyon WieseJan 27, 2015via ghsa
commit
2 files changed · +18 6
  • lib/configonlylib.php+6 4 modified
    @@ -171,15 +171,16 @@ function min_enable_zlib_compression() {
  * @return string
  */
 function min_get_slash_argument() {
-    // Note: This code has to work in the same cases as normal get_slash_argument(),
+    // Note: This code has to work in the same cases as normal get_file_argument(),
     //       but at the same time it may be simpler because we do not have to deal
     //       with encodings and other tricky stuff.
 
     $relativepath = '';
 
     if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) {
-        // server is using url rewriting, most probably IIS
-        return $_GET['file'];
+        // Server is using url rewriting, most probably IIS.
+        // Always clean the result of this function as it may be used in unsafe calls to send_file.
+        return min_clean_param($_GET['file'], 'SAFEPATH');
 
     } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) {
         if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') {
@@ -197,5 +198,6 @@ function min_get_slash_argument() {
         $relativepath = $matches[1];
     }
 
-    return $relativepath;
+    // Always clean the result of this function as it may be used in unsafe calls to send_file.
+    return min_clean_param($relativepath, 'SAFEPATH');
 }
  • lib/tests/configonlylib_test.php+12 2 modified
    @@ -89,11 +89,11 @@ public function test_min_optional_param() {
     /**
      * Test fail-safe minimalistic slashargument processing.
      */
-    public function min_get_slash_argument() {
+    public function test_min_get_slash_argument() {
         global $CFG;
 
         $this->resetAfterTest();
-        $this->assertEquals('http://www.example.com/moode', $CFG->wwwroot);
+        $this->assertEquals('http://www.example.com/moodle', $CFG->wwwroot);
 
         $_SERVER = array();
         $_SERVER['SERVER_SOFTWARE'] = 'Apache/2.2.22 (Unix)';
@@ -140,5 +140,15 @@ public function min_get_slash_argument() {
         $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
         $_GET = array();
         $this->assertSame('/standard/core/5/u/f1', min_get_slash_argument());
+
+        $_SERVER = array();
+        $_SERVER['SERVER_SOFTWARE'] = 'Hacker server';
+        $_SERVER['QUERY_STRING'] = '';
+        $_SERVER['REQUEST_URI'] = '/moodle/theme/image.php/standard/core/5/u/f1';
+        $_SERVER['PATH_INFO'] = '/moodle/theme/image.php/standard\\core/..\\../5/u/f1';
+        $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
+        $_GET = array();
+        // Windows dir separators are removed, multiple ... gets collapsed to one .
+        $this->assertSame('/standardcore/./5/u/f1', min_get_slash_argument());
     }
 }
a72f2cca7f08

MDL-48980 Security: Always clean the result from min_get_slash_argument

https://github.com/moodle/moodleDamyon WieseJan 27, 2015via ghsa
commit
2 files changed · +18 6
  • lib/configonlylib.php+6 4 modified
    @@ -171,15 +171,16 @@ function min_enable_zlib_compression() {
  * @return string
  */
 function min_get_slash_argument() {
-    // Note: This code has to work in the same cases as normal get_slash_argument(),
+    // Note: This code has to work in the same cases as normal get_file_argument(),
     //       but at the same time it may be simpler because we do not have to deal
     //       with encodings and other tricky stuff.
 
     $relativepath = '';
 
     if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) {
-        // server is using url rewriting, most probably IIS
-        return $_GET['file'];
+        // Server is using url rewriting, most probably IIS.
+        // Always clean the result of this function as it may be used in unsafe calls to send_file.
+        return min_clean_param($_GET['file'], 'SAFEPATH');
 
     } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) {
         if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') {
@@ -197,5 +198,6 @@ function min_get_slash_argument() {
         $relativepath = $matches[1];
     }
 
-    return $relativepath;
+    // Always clean the result of this function as it may be used in unsafe calls to send_file.
+    return min_clean_param($relativepath, 'SAFEPATH');
 }
  • lib/tests/configonlylib_test.php+12 2 modified
    @@ -89,11 +89,11 @@ public function test_min_optional_param() {
     /**
      * Test fail-safe minimalistic slashargument processing.
      */
-    public function min_get_slash_argument() {
+    public function test_min_get_slash_argument() {
         global $CFG;
 
         $this->resetAfterTest();
-        $this->assertEquals('http://www.example.com/moode', $CFG->wwwroot);
+        $this->assertEquals('http://www.example.com/moodle', $CFG->wwwroot);
 
         $_SERVER = array();
         $_SERVER['SERVER_SOFTWARE'] = 'Apache/2.2.22 (Unix)';
@@ -140,5 +140,15 @@ public function min_get_slash_argument() {
         $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
         $_GET = array();
         $this->assertSame('/standard/core/5/u/f1', min_get_slash_argument());
+
+        $_SERVER = array();
+        $_SERVER['SERVER_SOFTWARE'] = 'Hacker server';
+        $_SERVER['QUERY_STRING'] = '';
+        $_SERVER['REQUEST_URI'] = '/moodle/theme/image.php/standard/core/5/u/f1';
+        $_SERVER['PATH_INFO'] = '/moodle/theme/image.php/standard\\core/..\\../5/u/f1';
+        $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
+        $_GET = array();
+        // Windows dir separators are removed, multiple ... gets collapsed to one .
+        $this->assertSame('/standardcore/./5/u/f1', min_get_slash_argument());
     }
 }
af9a7937cc08

MDL-48980 Security: Always clean the result from min_get_slash_argument

https://github.com/moodle/moodleDamyon WieseJan 27, 2015via ghsa
commit
2 files changed · +18 6
  • lib/configonlylib.php+6 4 modified
    @@ -171,15 +171,16 @@ function min_enable_zlib_compression() {
  * @return string
  */
 function min_get_slash_argument() {
-    // Note: This code has to work in the same cases as normal get_slash_argument(),
+    // Note: This code has to work in the same cases as normal get_file_argument(),
     //       but at the same time it may be simpler because we do not have to deal
     //       with encodings and other tricky stuff.
 
     $relativepath = '';
 
     if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) {
-        // server is using url rewriting, most probably IIS
-        return $_GET['file'];
+        // Server is using url rewriting, most probably IIS.
+        // Always clean the result of this function as it may be used in unsafe calls to send_file.
+        return min_clean_param($_GET['file'], 'SAFEPATH');
 
     } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) {
         if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') {
@@ -197,5 +198,6 @@ function min_get_slash_argument() {
         $relativepath = $matches[1];
     }
 
-    return $relativepath;
+    // Always clean the result of this function as it may be used in unsafe calls to send_file.
+    return min_clean_param($relativepath, 'SAFEPATH');
 }
  • lib/tests/configonlylib_test.php+12 2 modified
    @@ -89,11 +89,11 @@ public function test_min_optional_param() {
     /**
      * Test fail-safe minimalistic slashargument processing.
      */
-    public function min_get_slash_argument() {
+    public function test_min_get_slash_argument() {
         global $CFG;
 
         $this->resetAfterTest();
-        $this->assertEquals('http://www.example.com/moode', $CFG->wwwroot);
+        $this->assertEquals('http://www.example.com/moodle', $CFG->wwwroot);
 
         $_SERVER = array();
         $_SERVER['SERVER_SOFTWARE'] = 'Apache/2.2.22 (Unix)';
@@ -140,5 +140,15 @@ public function min_get_slash_argument() {
         $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
         $_GET = array();
         $this->assertSame('/standard/core/5/u/f1', min_get_slash_argument());
+
+        $_SERVER = array();
+        $_SERVER['SERVER_SOFTWARE'] = 'Hacker server';
+        $_SERVER['QUERY_STRING'] = '';
+        $_SERVER['REQUEST_URI'] = '/moodle/theme/image.php/standard/core/5/u/f1';
+        $_SERVER['PATH_INFO'] = '/moodle/theme/image.php/standard\\core/..\\../5/u/f1';
+        $_SERVER['SCRIPT_NAME'] = '/moodle/theme/image.php';
+        $_GET = array();
+        // Windows dir separators are removed, multiple ... gets collapsed to one .
+        $this->assertSame('/standardcore/./5/u/f1', min_get_slash_argument());
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.