Recently a serious security bug in Moodle code was observed and demonstrated which allows an attacker to execute code at Moodle Server. Moodle HQ has promptly looked into the bug and provided a security patch through Moodle Tracker issue MDL-58010. Hence, you should upgrade your Moodle site on priority basis to the latest Moodle versions i.e. 3.2.2, 3.1.5, 3.0.9 or 2.7.19 (whatever is relevant) instead of applying a patch.
The Moodle security vulnerability – Remote Code Execution (RCE) works on almost all Moodle versions i.e. Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions. The security issue was reported by Netanel Rubin, Co-Founder & CEO at Vaultra. Netanel proved that it is possible to attack Moodle server by SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in earlier versions of Moodle but only by managers/admins and only via web services.
Since Moodle is the world’s most popular open source learning management system and has thousands of files, hundreds of components and about two million lines of code contributed by many developers. As such, it is obvious different developers wrote different parts of the code, even if those parts interact with each other.
Netanel exploited the logical vulnerability in the Moodle’s dynamic AJAX system which allows different components to use the system’s built-in Ajax interface. Check out the full PoC report posted by Netanel on his blog here.
I completely agree with Netanel that this kind of logical vulnerabilities can and will occur in almost all systems featuring a large code base. Security issues in large code bases is of course not Moodle specific. This kind of security vulnerability may appear because Moodle code is contributed by hundreds of developers around the world and now the Moodle HQ security experts will have a serious relook into the Moodle security vulnerability.
Have you also observed any security issues with your Moodle server? If yes, share with us in the comments section below or in the Moodle’s security forum here.