Moodle Security Alert!!! Remote Code Execution possible on Moodle code #Moodle

--- Advertisement ---

Connected 2023
Connected Conference OpenLMS

Kind Attention all Moodle site administrators!!

Recently a serious security bug in Moodle code was observed and demonstrated which allows an attacker to execute code at Moodle Server. Moodle HQ has promptly looked into the bug and provided a security patch through Moodle Tracker issue MDL-58010. Hence, you should upgrade your Moodle site on priority basis to the latest Moodle versions i.e. 3.2.2, 3.1.5, 3.0.9 or 2.7.19 (whatever is relevant) instead of applying a patch.

The Moodle security vulnerability – Remote Code Execution (RCE) works on almost all Moodle versions i.e. Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions. The security issue was reported by Netanel Rubin, Co-Founder & CEO at Vaultra. Netanel proved that it is possible to attack Moodle server by SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in earlier versions of Moodle but only by managers/admins and only via web services.
Since Moodle is the world’s most popular open source learning management system and has thousands of files, hundreds of components and about two million lines of code contributed by many developers. As such, it is obvious different developers wrote different parts of the code, even if those parts interact with each other.
Moodle Security Alert! Remote Code Execution possible on Moodle code #MoodleNetanel exploited the logical vulnerability in the Moodle’s dynamic AJAX system which allows different components to use the system’s built-in Ajax interface. Check out the full PoC report posted by Netanel on his blog here.
I completely agree with Netanel that this kind of logical vulnerabilities can and will occur in almost all systems featuring a large code base. Security issues in large code bases is of course not Moodle specific. This kind of security vulnerability may appear because Moodle code is contributed by hundreds of developers around the world and now the Moodle HQ security experts will have a serious relook into the Moodle security vulnerability.
Have you also observed any security issues with your Moodle server? If yes, share with us in the comments section below or in the Moodle’s security forum here.

2 Responses

  1. Jaswinder, can you please recommend to UPGRADE to 3.2.2, 3.1.5, 3.0.9 or 2.7.19 (whatever is relevant) instead of applying a patch.
    First of all, the patch will be different for different versions of moodle, the link you have included is the commit for the master branch, which nobody uses in the production. Second, even when people find the patch for the correct version, patching is a dangerous process that can create conflicts and cause regressions.
    The fix for this security issue was included in the latest release and everybody should upgrade as soon as possible

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The Latest

The eLearn Podcast

Connected Conference OpenLMS

--- Advertisement ---

Post Pages - Sidebar 4 - CourseMerchant

--- Advertisement ---

--- Advertisement ---

Subscribe to our newsletter

Education technology has the power to change lives. 

To get the latest news, information and resources about online learning from around the world by clicking on the button below.