exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ProCheckUp Security Advisory 2008.16

ProCheckUp Security Advisory 2008.16
Posted Jul 23, 2008
Authored by ProCheckUp | Site procheckup.com

Moodle versions 1.7.4 and below suffer from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 9b672c9891f43e963372288c6214110301eb382e12f52a3d07f345af494e127d

ProCheckUp Security Advisory 2008.16

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR08-16: CSRF (Cross-site Request Forgery) on Moodle edit profile page

Vulnerability found: 25/06/2008

Vendor informed: 28/06/2008

Vulnerability fixed: 16/07/2008

Advisory publicly released: 22/07/2008

Severity: High

Description:

HTTP requests can be forged due to lack of tokenization. By tricking the
victim to visit a third-party page while being logged in, certain
actions can be forged on behalf of the target user.


Notes:

- - The victim's user ID ('id') parameter and course ID ('course'
parameter) are required for a successful attack. However, such values
are public as they can be obtained from many sections of the site such as:

user blogs ('/blog/')
chats
public profiles. i.e.: '/user/view.php?id=2&course=1',
'/user/index.php?id=1',
'/user/index.php?id=1&group=&perpage=20&teachers=1&accesssince=0&search=0&perpage=500'

or even predicted. i.e.: the user ID of the admin account would be 2.

- - The fields surname, email address and department are supposed to be
non-editable by students. However, such restriction is only graphical
(fields are "type='hidden'"). A student can save the form on his desktop
and change the values of such fields. Once the form is resubmitted, the
values would remain persistently changed in the application.

- - Moodle reveals its version within HTML source code. i.e.: <a
title="moodle 1.6.5 + (2006050550)" href="http://moodle.org/">


Proof of concept (code available on
[http://www.procheckup.com/moodle_CSRF_poc.php.txt]):

The following steps can be followed by the attacker to fully compromise
the target Moodle site (gain administrative access):

1. Locate course ID and user ID of administrator user from public
profile. By default the admin's course ID is 1, and his user ID is 2.

2. Get administrator's email address (also included in public profile)

3. Send social engineering email to administrator in order to trick him
to visit the CSRF PoC URL while being logged in. The PoC URL simply
loads a form that submits automatically and changes the victim's profile
settings to include information chosen by the attacker. i.e.: attacker's
email address.
~ Example PoC URL:
http://evil.foo/moodle_CSRF_poc.php?e=attacker@mailinator.com&u=223332&c=1&s=https://moodle.target.edu
(see the contents of 'moodle_CSRF_poc.php.txt' for more information)

4. Now the attacker can compromise the targeted account by requesting a
"password reset link" and supplying the email address used in the CSRF
attack payload

Due to the cross-user interaction nature of Moodle, there are many other
ways the victim user could be tricked to click on the PoC URL. i.e.: by
posting it in a blog post, chat session, etc.

Tested environment:

Server: Apache/2.2.2 (Unix) PHP/5.2.1 mod_ssl/2.2.2 OpenSSL/0.9.7l
Moodle 1.6.5 + (2006050550)

Versions affected as confirmed by the vendor:

1.6, 1.7, 1.7.4, 1.7.3, 1.7.2, 1.7.1, 1.6.6, 1.6.5, 1.6.4, 1.6.3, 1.6.2,
1.6.1

Not vulnerable: 1.6.7, 1.7.5

Consequences:

By forging "interesting" requests, the victim's account can be
compromised. i.e.: "Edit profile" (/user/editadvanced.php?id=2&course=1)
which can change the victim's password to the one chosen by the attacker.
By targetting an administrator account, the attacker can fully
compromise the target Moodle site.

Fix:

This issue has been tracked as MDL-15450.

Upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch
http://cvs.moodle.org/moodle/user/edit.php?r1=1.112.2.4.2.1&r2=1.112.2.4.2.2
+
http://cvs.moodle.org/moodle/user/Attic/edit.html?r1=1.88.2.3&r2=1.88.2.3.2.1



References:

http://moodle.org/mod/forum/discuss.php?d=101405
http://www.procheckup.com/Vulnerabilities.php

Credits: Amir Azam and Adrian Pastor of ProCheckUp Ltd. (www.procheckup.com)

ProCheckUp would like to thank Petr Skoda and the rest of the Moodle
team for their excellent response time and cooperation towards resolving
this matter.

Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIhgP0oR/Hvsj3i8sRAsGrAJ0Qo3FX9v2ir29VkqISaIml5KeFKwCdGM6f
2k1kRrswVyShISmJdQHDU7c=
=aAWP
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close