A security vulnerability in e-learning platform Moodle could allow an attacker to take over a database and potentially obtain sensitive information, researchers have warned.
Moodle is an open source educational resource that enables institutions to create online learning materials for students.
Researchers have found that the website is vulnerable to a second order SQL injection flaw, which could enable an attacker to potentially take control of a database server.
Teachers are able to create custom badges for their pupils, which they can earn through completing tasks such as courses or essays.
When creating these badges, it is possible for an attacker with teacher status to insert a malicious SQL query into the database.
Later, that data is fetched from the database and is injected unsanitized into another query. When the badge is enabled for access by students, the injected SQL query will be executed.
In a blog post, researcher ‘dugisec’ explained how the attack works.
Caveats
It’s important to note that in order to perform this attack, a malicious actor will have to be logged in as a teacher.
However, the impact of the authenticated bug could be damaging. The researcher who found the vulnerability said it can also be used in a stored XSS attack.
They wrote: “In order to exploit this, a new badge has to be created for each SQL query that the attacker wants to run. This is because once a badge has been created, the criteria cannot be updated.”
The researcher added: “I also would not be surprised if there are more SQLis of this nature in Moodle. As a bonus this bug can be used for stored XSS as well.”
The researcher noted that this bug appears to have been reported in a GitHub post from 2013.
The report reads: “In order to get our SQL query into the database it’s necessary to create a badge and add some criteria. It is when adding the critera that the sql-to-be-executed-2nd-order is inserted into the database.
“Finally, when the badge is enabled the injected SQL is executed.”
The Daily Swig has reached out to Moodle to learn more and will update this article accordingly.
Source: https://portswigger.net/daily-swig/sql-injection-vulnerability-in-e-learning-platform-moodle-could-enable-database-takeover
