Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.
Severity/Risk: | Minor |
Versions affected: | 3.4, 3.3 to 3.3.3 and 3.2 to 3.2.6 |
Versions fixed: | 3.4.1, 3.3.4 and 3.2.7 |
Reported by: | Jordan Tomkinson |
CVE identifier: | CVE-2018-1043 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61143 |
Tracker issue: | MDL-61143 curlsecurityblockedhosts can be bypassed with multiple A record hostnames |