Researchers warn of critical vulnerability in popular education management system

RCE bug in Moodle e-learning platform could be abused to steal data, manipulate results

A critical security vulnerability in a popular e-learning platform could be abused to allow access to students’ data and test papers – and possibly even manipulate exam results.

Moodle is an open source application that’s said to be used by 190,000 organizations in 246 countries worldwide. Many of these are educational institutions such as universities or colleges.

The bug, a PHP object injection vulnerability in Moodle’s Shibboleth authentication module, could allow unauthenticated attackers to achieve remote code execution (RCE), resulting in a complete compromise of the server.

In turn, this could allow them complete access to anything on the target server, including personally identifiable information such as password hashes, exam grades, and messages.

Pre-auth RCE

The flaw was discovered by Robin Peraglie and Johannes Moritz, penetration testers by trade, who chose to hunt for bugs in Moodle due to previously having found two other RCE vulnerabilities in the software.

Moritz told The Daily Swig that the vulnerability is only present in Moodle LMS server which has Shibboleth single sign-on authentication enabled. The module is disabled by default, offering some respite to the universities and institutions that make use of the platform.

If enabled, however, an unauthenticated attacker can execute arbitrary system commands, the researcher explained.

Read more of the latest education-related security news

“This would result in a complete compromise of the server including a leakage of user data. Malicious students could also abuse it to get read/write access to exams before they have started,” said Moritz.

The researcher described the vulnerability as “actually pretty easy” to exploit, since a list of websites with Shibboleth activated are available publicly online.

The team published a blog post containing further technical details on how they found and exploited the bug.

Closed book

After reporting the issue to Bugcrowd and, following a lengthy disclosure process, the flaw has now been patched.

It took four months for the vulnerability to be triaged, revealed Moritz, who said he had the impression it was not treated as a priority.

DON’T FORGET TO READ Hacking education channel suspended from YouTube for ‘severe’ guideline violations

When asked why they didn’t report it directly to Moodle, which has its own vulnerability disclosure program, the researcher said they are “quite inflexible with providing patches because of their two-month release cycle”.

Moritz did, however, reveal that the team also found a a second critical Moodle pre-authentication bug – details of which will be released following a separate, ongoing coordinated disclosure process.

YOU MAY ALSO LIKE Chained Zimbra flaws gave attackers unrestricted access to mail servers