Security announcements

MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames

 
Picture of Marina Glancy
MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames
 

Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.


Severity/Risk: Minor
Versions affected: 3.4, 3.3 to 3.3.3 and 3.2 to 3.2.6
Versions fixed: 3.4.1, 3.3.4 and 3.2.7
Reported by: Jordan Tomkinson
CVE identifier: CVE-2018-1043
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61143
Tracker issue: MDL-61143 curlsecurityblockedhosts can be bypassed with multiple A record hostnames