CVE-2024-48897 - Moodle Vulnerability: Unauthorized RSS Feed Modification for Improper Access Control

Recently, a significant vulnerability has been discovered in Moodle, the widely-used open-source learning management system. This vulnerability, assigned the ID CVE-2024-48897, allows attackers to modify or delete RSS feeds in a Moodle deployment without having proper permissions. As Moodle is used extensively in educational institutions and other organizations worldwide, it is critical that systems administrators ensure their Moodle installations are secure against unauthorized RSS feed modifications.

Exploit Details

Moodle employs a robust permissions-based system for user access control. However, in its current implementation, it has been found that users can edit or delete RSS feeds that they do not have explicit permission to modify. This vulnerability arises due to a lack of additional safety measures to confirm users' authorization levels before allowing them to make changes to RSS feeds.

The following code snippet demonstrates the problematic behavior

function delete_feed($id) {
  global $DB;
  $feed = $DB->get_record('block_rss_client', array('id' => $id));
  if($feed && has_capability('block/rss_client:manageanyfeeds', context_block::instance($feed->id))) {
    $DB->delete_records('block_rss_client', array('id' => $id));
  }
}

In the code above, the delete_feed function allows deleting an RSS feed with a specific id. The function queries the database for the feed and checks if the user has the capability to manage any feeds. If true, it proceeds to delete the feed from the database.

The problem with this implementation is that it does not ensure that the user has permission to access or modify the specific feed they are attempting to delete. Only a check for the general capability 'block/rss_client:manageanyfeeds' is performed, without considering the context of the exact feed being modified.

To patch this vulnerability, additional safety measures are required to confirm that users have the appropriate permissions to modify or delete RSS feeds. The following code snippet demonstrates the necessary changes to the delete_feed function:

function delete_feed($id) {
  global $DB;
  $feed = $DB->get_record('block_rss_client', array('id' => $id));
  $context = context_block::instance($feed->id);
  if($feed && has_capability('block/rss_client:manageanyfeeds', $context) && has_capability('block/rss_client:managethisfeed', $context)) {
    $DB->delete_records('block_rss_client', array('id' => $id));
  }
}

The updated delete_feed function above adds an extra check for the 'block/rss_client:managethisfeed' permission, ensuring that the user has the required authorization to modify or delete the specific RSS feed in question.

Original References

(1) https://moodle.org/
(2) https://tracker.moodle.org/browse/MDL-72112
(3) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48897

Conclusion

To protect your Moodle installation from unauthorized modifications or deletions of RSS feeds, it is crucial to implement the necessary changes to the codebase and update the permissions system as demonstrated above. Following this, Moodle administrators should ensure that their deployment is up to date with the latest security patches to maintain a safe and secure learning environment for all users.

By addressing this vulnerability promptly, educational institutions and organizations using Moodle can avoid potential misuse of RSS feeds, maintaining the trustworthiness and reliability of their online learning platforms.

Timeline

Published on: 11/18/2024 12:15:18 UTC
Last modified on: 11/20/2024 14:48:25 UTC