I have a question related to Moodle security and would appreciate any constructive help in resolving it.
We have a Moodle deployed on Azure cloud infrastructure with Azure WAF enabled. Like the other guys on this forum, we expectedly encountered the issues where WAF blocks harmless user input when it matches firewall rules.
Specifically, we have the following SQLI-related rule triggered in the form /mod/quiz/attempt.php:
Message | ruleId_s | ruleGroup_s | action_s | details_message_s | details_data_s |
SQL Injection Attack | 942480 | REQUEST-942-APPLICATION-ATTACK-SQLI | Matched | Pattern match (?i?:\\b(??:s(?:elect\\b.{1,100}?\\b(???:length|count)\\b.{1,100}?|.*?\\bdump\\b.*)\\bfrom|to(?:p\\b.{1,100}?\\bfrom|_(?:numbe|cha)r)|(?:from\\b.{1,100}?\\bwher|data_typ)e|instr)|ys_context)|in(?:to\\b\\W*?\\b(?:dump|out)file|sert\\b\\W*?\\binto|ner\\b\\W*?\\bjoin)|u(?:nion\\b.{1,100}?\\bselect|tl_inaddr)|group\\b.*?\\bby\\b.{1,100}?\\bhaving|d(?:elete\\b\\W*?\\bfrom|bms_\\w+\\.)|load\\b\\W*?\\bdata\\b.*?\\binfile)\\b|print\\b\\W*?\\@\\@)|(?:\\W*?\\b(?:shutdown|drop)|collation\\W*?\\(a|\\@\\@version)\\b|'(?:s(?:qloledb|a)|msdasql|dbo)')) at ARGS. | Matched Data: insert into found within ARGS:q2330:9_answer: insert into |
Together with our IT security team, we are looking for a solution that will remediate user input and keep us as secure as possible. In order to disable or make exceptions to WAF rules, we need to collect a body of justifications that Moodle will be able to withstand all the variety of SQLI attacks.
My request is to help me compose a list of such justifications. Here's what I already have:
1) double check that we are using the latest version of Moodle and there are no known SQL related security flaws reported in "Security Announcements" https://moodle.org/security/.
2) verify that all DB interactions in Quiz module are implemented through the dmllib methods and values are inserted in sql using the placeholders only (according to "What you need to do in your code recommendation" in https://docs.moodle.org/dev/Security:SQL_injection).
3) run a sql focused penetration test for quiz related controllers, e.g. with sqlmap.
4) ...(your suggestion)...
Thank you,