SQL injection vulnerability in e-discovering platform Moodle could help database takeover


Jessica Haworth
08 March 2022 at 14:36 UTC
Current: 08 March 2022 at 16:08 UTC
Safety flaw could hazard details leak
A stability vulnerability in e-understanding system Moodle could make it possible for an attacker to just take more than a database and likely get hold of sensitive data, scientists have warned.
Moodle is an open source academic resource that permits establishments to create on the web discovering materials for learners.
Scientists have observed that the web page is susceptible to a next get SQL injection flaw, which could help an attacker to perhaps just take management of a database server.
Read through additional of the most recent open supply security news
Teachers are in a position to generate custom badges for their pupils, which they can get paid by way of completing tasks these kinds of as programs or essays.
When building these badges, it is doable for an attacker with trainer position to insert a destructive SQL query into the database.
Afterwards, that data is fetched from the databases and is injected unsanitized into another query. When the badge is enabled for obtain by pupils, the injected SQL query will be executed.
In a web site publish, researcher ‘dugisec’ defined how the assault functions.
Caveats
It’s important to note that in get to complete this attack, a malicious actor will have to be logged in as a trainer.
Nonetheless, the impression of the authenticated bug could be detrimental. The researcher who found the vulnerability stated it can also be used in a stored XSS assault.
They wrote: “In buy to exploit this, a new badge has to be designed for every single SQL question that the attacker wishes to operate. This is mainly because when a badge has been produced, the conditions cannot be updated.”
The researcher added: “I also would not be surprised if there are much more SQLis of this character in Moodle. As a reward this bug can be applied for saved XSS as properly.”
Read through Extra Finders, cheaters: RCE bug in Moodle e-discovering system could be abused to steal information, manipulate benefits
The researcher pointed out that this bug seems to have been described in a GitHub submit from 2013.
The report reads: “In order to get our SQL query into the databases it is required to produce a badge and increase some criteria. It is when adding the critera that the sql-to-be-executed-2nd-get is inserted into the database.
“Finally, when the badge is enabled the injected SQL is executed.”
The Everyday Swig has achieved out to Moodle to master a lot more and will update this posting accordingly.
YOU Could LIKE Moodle e-understanding system patches session hijack bug that led to pre-auth RCE