Moodle Security Vulnerabilities

Moodle Security Vulnerabilities

by Amit Sharma -
Number of replies: 7

Hi Team,

we are facing some issue Moodle Security Vulnerabilities in core files. I am sharing below details


VA Category URL  
HTML Injection url/lib/editor/atto/autosave-ajax.php HTML tags are executed.
Iframe Injection url/lib/editor/atto/autosave-ajax.php iframe tags are executed and sites can be loaded inside them.
Link Injection url/lib/editor/atto/autosave-ajax.php Link tags can be used for redirecting the application to the intended malicious site.
Cross-Site Scripting (XSS) url/lib/editor/atto/autosave-ajax.php Cookies can be obtained by injected payloads and redirection to the injected site is also possible.
Insecure Direct Object References url/course/view.php?id=1 The currently logged in user can see the details of other users too.
Malicious File Upload url/repository/repository_ajax.php?action=upload Any type of files can be uploaded directly without any restriction.
Privilege Escalation url The user can see the details of the upcoming course.
Server-Side Request Forgery (SSRF) / Cross-Site Port Attack (XSPA) url/repository/repository_ajax.php?action=signin Internal port scanning can be done and also the application interacts actively with the external domains/sites.
Possible Sensitive Directories/Files Detected url/lib/ajax/service-nologin.php/backup.zip  
Database Error Message url/contentbank/view.php?id=-1%20order%20by%201--+ Tables names are being revealed in the error message by changing the IDs passing in the URL.

Please help to resolve the issue.

Thanks,
Amit Kumar

Average of ratings: -
In reply to Amit Sharma

Re: Moodle Security Vulnerabilities

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Hello Amit. We have a dedicated Security and Privacy forum so I am going to move your post to there so you can get more specialised advice.
Average of ratings: Useful (1)
In reply to Amit Sharma

Re: Moodle Security Vulnerabilities

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers

Hi Amit,

Please do not publish potential security issues to this public forum. We have a security submission form where you can send any findings here: https://moodle.org/security/report/. We have a Responsible Disclosure Policy, so any confirmed security issues are not published until a patch is in place (for more information, see our Security Policies documentation).

Having a quick look at your post, to cover off a few of the examples: Some of those items (eg things relating to atto autosave) appear to be expected functionality or limited to the user performing the action and not exploitable. The IDOR appears to just be loading course pages (which is expected functionality) and modifying that ID will only load courses the user has access to. The SSRF result is due to a mis-configuration on your site, it can be mitigated using the cURL settings provided in the site admin HTTP Security settings (potentially along with configuring your internal firewall).

If you have any further findings, please report them via our security submission form, and if you have any questions on the above or the items you listed, please feel free to reach out via security@moodle.com.

Thanks,

Mick

Average of ratings: Useful (1)
In reply to Michael Hawkins

Re: Moodle Security Vulnerabilities

by Amit Sharma -
Thanks Mick. I will check and post above form or email.
Average of ratings: -
In reply to Michael Hawkins

Re: Moodle Security Vulnerabilities

by Amit Sharma -
Dear Mick,

Thanks for your help. we have fixed the issue as per your ref email.

we have some major issue in core Moodle, please help

HTML Form Without CSRF Protection
HTTP Host Header Injection
How we can fix global in Moodle to restrict input value should be alphanumeric. Now in grade input and other input value taking script, html and other input value. i am sharing below ref screen



Thanks,
Amit Kumar

Average of ratings: -
In reply to Amit Sharma

Re: Moodle Security Vulnerabilities

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers

Hi Amit,

Regarding further restricting users who already have capabilities flagged with known XSS risk, you may want to look into the trusttext feature and removing their trustcontent capability, however I do not think this covers all functionality within Moodle, as many features are designed to give users such as teachers flexibility with how they engage students with dynamic content (which is why capabilities with this risk should only be assigned to "trusted" users who need them). Items that are covered by the trusttext functionality are listed under Current conversion status in the docs.

Regarding the other items you mentioned - as I said before, please do not post any findings of potential vulnerabilities in this public forum, whether detailed or not. If you have concerns that something may be a security issue, please report them via the proper channels mentioned in my previous post. Further posts not following these guidelines may be ignored and/or deleted.

Average of ratings: -
In reply to Amit Sharma

Re: Moodle Security Vulnerabilities

by Abdullah Zayed -
Hi Amit,
Do you get solution to Malicious File Upload url/repository/repository_ajax.php?action=upload Any type of files can be uploaded directly without any restriction.
Average of ratings: -