Moodle Security Alert!!! Remote Code Execution possible on Moodle code #Moodle

Kind Attention all Moodle site administrators!!

Recently a serious security bug in Moodle code was observed and demonstrated which allows an attacker to execute code at Moodle Server. Moodle HQ has promptly looked into the bug and provided a security patch through Moodle Tracker issue MDL-58010. Hence, you should upgrade your Moodle site on priority basis to the latest Moodle versions i.e. 3.2.2, 3.1.5, 3.0.9 or 2.7.19 (whatever is relevant) instead of applying a patch.

The Moodle security vulnerability – Remote Code Execution (RCE) works on almost all Moodle versions i.e. Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions. The security issue was reported by Netanel Rubin, Co-Founder & CEO at Vaultra. Netanel proved that it is possible to attack Moodle server by SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in earlier versions of Moodle but only by managers/admins and only via web services.

Since Moodle is the world’s most popular open source learning management system and has thousands of files, hundreds of components and about two million lines of code contributed by many developers. As such, it is obvious different developers wrote different parts of the code, even if those parts interact with each other.

Moodle Security Alert! Remote Code Execution possible on Moodle code #MoodleNetanel exploited the logical vulnerability in the Moodle’s dynamic AJAX system which allows different components to use the system’s built-in Ajax interface. Check out the full PoC report posted by Netanel on his blog here.

I completely agree with Netanel that this kind of logical vulnerabilities can and will occur in almost all systems featuring a large code base. Security issues in large code bases is of course not Moodle specific. This kind of security vulnerability may appear because Moodle code is contributed by hundreds of developers around the world and now the Moodle HQ security experts will have a serious relook into the Moodle security vulnerability.

Have you also observed any security issues with your Moodle server? If yes, share with us in the comments section below or in the Moodle’s security forum here.

Jaswinder Singh

Jaswinder Singh, passionate about using Moodle in improving the Indian Education System and reaching the students in far flung areas where still education seems to be a impossible prospect of life. He is the author of the popular Moodle Book "How to use Moodle 2.7". In October 2016, Jaswinder was elected as the Moodle User's Association Committee member - the first to make it from India.

Related Articles

  • Marina Glancy

    Jaswinder, can you please recommend to UPGRADE to 3.2.2, 3.1.5, 3.0.9 or 2.7.19 (whatever is relevant) instead of applying a patch.
    First of all, the patch will be different for different versions of moodle, the link you have included is the commit for the master branch, which nobody uses in the production. Second, even when people find the patch for the correct version, patching is a dangerous process that can create conflicts and cause regressions.

    The fix for this security issue was included in the latest release and everybody should upgrade as soon as possible

    • Hi Marina,
      Many thanks, I will update the article accordingly.

  • Pingback: Alert bezpieczeństwa Moodle()

  • Pingback: MoodleWorld March Roundup report - How Moodle has progressed in last one month #moodle - Moodle World()