SQL injection vulnerability in Moodle e-learning platform could allow database takeover

Jessica Haworth on March 8, 2022 at 2:36 PM UTC

Updated: Mar 10, 2022 10:32 UTC

A security breach could lead to a data leak

A security flaw in online learning platform Moodle could allow an attacker to take control of a database and potentially obtain sensitive information, researchers have warned.

Moodle is an open source educational resource that allows institutions to create online learning materials for students.

Researchers found that the website is vulnerable to a second-order SQL injection flaw, which could allow an attacker to take control of a database server.

Learn about the latest open source security news

Teachers can create personalized badges for their students, which they can earn by completing tasks such as lessons or essays.

When creating these badges, it is possible that an attacker with teacher status inserts a malicious SQL query in the database.

Later, this data is extracted from the database and injected without being cleaned in another query. When the badge is enabled for student access, the injected SQL query will be executed.

In a blog post, researcher “dugisec” explained how the attack works.

Warnings

It is important to note that to perform this attack, a malicious actor will need to be logged in as a teacher.

However, the impact of the authenticated bug could be damaging. The researcher who discovered the vulnerability said it could also be used in a stored XSS attack.

They wrote: “In order to exploit this, a new badge must be created for each SQL query the attacker wishes to execute. Indeed, once a badge has been created, the criteria cannot be updated. »

The researcher added: “I also wouldn’t be surprised if there were more SQLis of this nature in Moodle. As a bonus, this bug can also be used for stored XSSs.

READ MORE Researchers, cheaters: RCE bug in online learning platform Moodle could be exploited to steal data, manipulate results

In an email to The daily sipMoodle said a fix is ​​in the works: “We have investigated and prepared a fix for the vulnerability as soon as possible after becoming aware of the blog post. The fix will be released with our next security/minor release, which will be available from Monday, March 14, 2022.

“This vulnerability was not disclosed to Moodle by the researcher, we became aware of the issue after the blog editorial published.

“The problem with this is that site admins haven’t had a chance to fix their systems before the proof of concept is available. Ideally, all security findings are reported to our vulnerability disclosure program via https ://moodle.org/security/report/, so that they can be corrected and dealt with in accordance with our security procedures.

“We recommend that Moodle instances be upgraded to the latest version once the patch is released next week (or at least apply the relevant security patches from that version).

“In the meantime, the capability can be removed from users to prevent them from accessing the relevant functionality until the update/fix is ​​applied (by default, this access is granted to teachers and managers).”

YOU CAN LIKE Moodle e-learning platform fixes session hijacking bug that led to RCE pre-authorization

Maria H. Underwood