CVE-2024-48898: A deep dive into a Moodle vulnerability allowing unauthorized deletion of audiences from reports

Recently, a security vulnerability was discovered in Moodle, a popular open-source learning management system, which has been assigned the identifier CVE-2024-48898. This vulnerability affects users with the permission to delete audiences from specific reports, allowing them to circumvent the normal permission checks and potentially delete audiences from other reports that they do not have permission to access. In this long-read blog post, we will discuss the details of this vulnerability, explore a code snippet demonstrating the issue, and provide links to original references for further information.

Exploit Details

The issue resides in the way Moodle handles the deletion of cohorts (internally referred to as audiences) from reports. Users with the required capability moodle/cohort:manage for a specific report were allowed to manipulate the audience instances tied to the report by directly changing the audience deletion URL parameters without proper access checks.

To give a clearer understanding, let's take a look at a code snippet that demonstrates this vulnerability. Here is a simplified version of the vulnerable code in question:

// File: report/cohorts/index.php

require_login();

$context = context_system::instance();

$canmanage = has_capability('moodle/cohort:manage', $context);

if ($canmanage) {
    $cohortid = optional_param('delete', , PARAM_INT);
    
    if ($cohortid) {
        $cohort = cohort_get_by_id($cohortid);
        if ($cohort) {
            cohort_delete_cohort($cohort); // DELETE without checking if the user has access to delete it
        }
    }
}

This code snippet demonstrates that Moodle does not properly enforce the permission checks before the deletion of a cohort is performed. As long as a user has the moodle/cohort:manage capability in the system context, they can successfully delete any cohort as long as they know or guess the target cohort ID by simply changing the HTTP GET delete parameter value.

For example, an attacker with limited report management privileges could delete an audience from a report they do not have access to by visiting a URL similar to this:

https://example.com/report/cohorts/index.php?delete=<target_cohort_id>;

Impact

The exploitation of this vulnerability can lead to unauthorized manipulation of data (audiences) in reports, making it possible for malicious users to interfere with the correct functioning of Moodle or disrupt the intended structure designed by the legitimate administrators. Moreover, this may lead to information breaches or make certain data inaccessible for users who may depend on it for their educational and administrative activities.

Mitigation and Patch

Moodle has released a patch to address this vulnerability by adding proper permissions check in the affected code. Users are advised to update their Moodle installation to the latest version which includes the security patch to protect against this vulnerability. The patched version can be found at:

https://download.moodle.org/releases/security/

In addition to applying the patch, it is essential for administrators to regularly review and update user permissions to ensure that users are granted the least amount of privileges necessary to perform their tasks.

Conclusion

CVE-2024-48898 is a security vulnerability that highlights the importance of strictly enforcing permission checks within any web application, including Moodle. By addressing this issue, Moodle has made its platform more secure and reliable for its users.

For more information about this vulnerability, you can visit the following resources

- CVE-2024-48898 Official Entry
- Moodle Security Advisory (MDL-73914)
- Moodle Release Notes

Timeline

Published on: 11/18/2024 12:15:18 UTC
Last modified on: 11/20/2024 14:46:16 UTC