SQL Injection Vulnerability Discovered in Moodle

Update – 24th March 2022: Moodle have released the following statement to LHN since the publishing of this article”

Moodle has a robust security review process, including a published Responsible Disclosure Policy . In line with industry best practice, this policy requests that security vulnerabilities are disclosed to us before being published (or further circulated) to protect the security of our users globally. In this instance, this did not occur, and we became aware of the vulnerability in early March.  We quickly responded to this flaw and, on March 14, released a security patch and notified registered site administrators. We published the fix to the Moodle Security Announcement forum on March 21. Moodle developed, tested and released the patch in less than two weeks, well below industry norms.

A researcher has recently explained how a vulnerability in the Moodle platform could allow for data leakage. Exploiting the vulnerability required an adversary to conduct a SQL injection.

Moodle Vulnerability Exposing Data

Reportedly, the security researcher with the alias “dugisec” has highlighted details about the SQL injection vulnerability in Moodle. As described, exploiting the flaw could allow an adversary to take over the target database and access sensitive information.

Moodle is an open-source e-learning platform facilitating a huge number of online tutors, teachers, and students. It is also popular among different universities, helping them continue the educational activities even remotely. The platform also comes with numerous plugins that users can use to expand the site’s functionality.

Describing the vulnerability, the researcher stated in a post that a second-order SQL injection vulnerability threatened the platform’s security. The bug typically resided in the functionality that allows teachers to create custom badges for their students.

As a standard, students earn such badges upon completing specific tasks. However, due to the vulnerability, an attacker with teacher-level privileges could insert malicious queries into the database.

As explained in the post,

After creating the badge, the user is prompted to add the criteria which will qualify students to earn the badge. It is during the creation of badge criteria that one can insert a malicious sql query into the database. Later, that data is fetched from the database and injected unsanitized into another query.

Thus, enabling the badge for the students would execute the vulnerability.

While it’s easy to exploit the bug, it also has a limitation. As the researcher noticed, the bug would only trigger during badge creation, and won’t work once the badge is created. So, exploiting the bug again would require the attacker to create a new badge.

It presently remains unclear whether Moodle has patched the flaw or plans to fix it.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients