Connect with us

Cyber Security

Finders, cheaters: RCE bug in Moodle e-learning platform could be abused to steal data, manipulate results

Published

on

A critical security vulnerability in a popular e-learning platform could be abused to allow access to students’ data and test papers – and possibly even manipulate exam results.

Moodle is an open source application that’s said to be used by 190,000 organizations in 246 countries worldwide. Many of these are educational institutions such as universities or colleges.

The bug, a PHP object injection vulnerability in Moodle’s Shibboleth authentication module, could allow unauthenticated attackers to achieve remote code execution (RCE), resulting in a complete compromise of the server.

In turn, this could allow them complete access to anything on the target server, including personally identifiable information such as password hashes, exam grades, and messages.

Pre-auth RCE

The flaw was discovered by Robin Peraglie and Johannes Moritz, penetration testers by trade, who chose to hunt for bugs in Moodle due to previously having found two other RCE vulnerabilities in the software.

Moritz told The Daily Swig that the vulnerability is only present in Moodle LMS server which has Shibboleth single sign-on authentication enabled. The module is disabled by default, offering some respite to the universities and institutions that make use of the platform.

If enabled, however, an unauthenticated attacker can execute arbitrary system commands, the researcher explained.

“This would result in a complete compromise of the server including a leakage of user data. Malicious students could also abuse it to get read/write access to exams before they have started,” said Moritz.

The researcher described the vulnerability as “actually pretty easy” to exploit, since a list of websites with Shibboleth activated are available publicly online.

The team published a blog post containing further technical details on how they found and exploited the bug.

Closed book

After reporting the issue to Bugcrowd and, following a lengthy disclosure process, the flaw has now been patched.

It took four months for the vulnerability to be triaged, revealed Moritz, who said he had the impression it was not treated as a priority.

When asked why they didn’t report it directly to Moodle, which has its own vulnerability disclosure program, the researcher said they are “quite inflexible with providing patches because of their two-month release cycle”.

Moritz did, however, reveal that the team also found a a second critical Moodle pre-authentication bug – details of which will be released following a separate, ongoing coordinated disclosure process.

Source: https://portswigger.net/daily-swig/finders-cheaters-rce-bug-in-moodle-e-learning-platform-could-be-abused-to-steal-data-manipulate-results

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO