Security flaw could risk data leak
A security vulnerability in e-learning platform Moodle could allow an attacker to take over a database and potentially obtain sensitive information, researchers have warned.
Moodle is an open source educational resource that enables institutions to create online learning materials for students.
Teachers are able to create custom badges for their pupils, which they can earn through completing tasks such as courses or essays.
When creating these badges, it is possible for an attacker with teacher status to insert a malicious SQL query into the database.
Later, that data is fetched from the database and is injected unsanitized into another query. When the badge is enabled for access by students, the injected SQL query will be executed.
In a blog post, researcher ‘dugisec’ explained how the attack works.
It’s important to note that in order to perform this attack, a malicious actor will have to be logged in as a teacher.
They wrote: “In order to exploit this, a new badge has to be created for each SQL query that the attacker wants to run. This is because once a badge has been created, the criteria cannot be updated.”
The researcher added: “I also would not be surprised if there are more SQLis of this nature in Moodle. As a bonus this bug can be used for stored XSS as well.”
In an email to The Daily Swig, Moodle said that a fix is incoming: “We investigated and prepared a fix for the vulnerability as soon as possible after becoming aware of the blog write up. The fix will be published with our next security/minor release, which will be available from Monday, 14th March 2022.
“This vulnerability was not disclosed to Moodle by the researcher, we became aware of the issue after the blog write up was published.
“The issue with this is that site administrators were not given an opportunity to patch their systems before the proof of concept was made available. Ideally any security findings are reported to our Vulnerability Disclosure Program via https://moodle.org/security/report/, so they can be fixed and responded to as per our security procedures.
“We would recommend that Moodle instances are upgraded to the latest version once the patch is released next week (or at least apply the relevant security patches from that release).
“In the meantime, the moodle/badges:configurecriteria capability can be removed from users to prevent them accessing the relevant functionality until the update/patch is applied (by default that access is given to teachers and managers).”