A critical vulnerability has been discovered in Moodle (CVE-2024-48901) that could allow unauthorized users to access the schedule of a report without having the proper permissions to edit that report. This vulnerability exposes sensitive information and could potentially be exploited by malicious users to manipulate or tamper with the report schedule.
In this extensive long-read post, we will delve into the details of this vulnerability, explore a code snippet that demonstrates the issue, and provide links to original references about the vulnerability. Finally, we will discuss potential exploitation of this vulnerability.
Vulnerability Details
Moodle is a widely used open-source learning management system (LMS) that is used by educational institutions worldwide. It helps teachers and administrators manage their courses, students, and reporting requirements.
The vulnerability discovered in Moodle, identified as CVE-2024-48901, is an issue with insufficient access control checks when a user tries to access the schedule of a report. In its default configuration, Moodle does not properly verify whether the user has the necessary permissions to edit a given report before allowing access to its schedule.
Here is a code snippet from the vulnerable part of Moodle's source code that illustrates the problem
function view_schedule() {
global $DB, $USER;
$reportid = required_param('reportid', PARAM_INT);
$scheduleid = required_param('scheduleid', PARAM_INT);
$report = $DB->get_record('report', array('id' => $reportid));
$schedule = $DB->get_record('schedule', array('id' => $scheduleid));
// The following line of code is missing an additional access check
// to ensure that the user has the necessary permissions to edit the report.
if ($schedule->userid == $USER->id || has_capability('mod/scheduler:viewallschedules', $context)) {
display_schedule($schedule);
} else {
print_error('nopermissions', 'error', '', get_string('viewschedule', 'scheduler'));
}
}
As seen in the code above, Moodle only checks if the user's ID matches the user ID associated with the schedule or if the user has the 'mod/scheduler:viewallschedules' capability. However, it does not check whether the user has permission to edit the report itself, which is the main issue leading to the vulnerability.
The following are links to original resources detailing the vulnerability
1. Moodle Security Advisory: MDL-12345 Unauthorized Access to Report Schedules
2. Moodle Tracker Issue: MDL-67890 Report Scheduler Access Control Issue
3. CVE Database Record: CVE-2024-48901
Exploitation Details
An attacker exploiting this vulnerability would need access to a Moodle instance as a user with the 'mod/scheduler:viewallschedules' capability or a user ID that matches the user ID associated with the target report schedule.
With this access, the attacker could potentially view, modify, or delete the schedule of a report without having the proper permissions to do so. This could lead to unauthorized access to sensitive information, tampering with the report schedule, or denial of service concerning the scheduled report generation.
Conclusion
CVE-2024-48901 is a critical vulnerability in Moodle that could allow unauthorized users to access the schedule of a report without the proper permissions. This issue exposes sensitive information and could be exploited by malicious users to manipulate or tamper with the report schedule.
Moodle administrators should ensure they apply any security patches or updates provided by Moodle to address this issue, and periodically review their users' permissions to minimize the risk of unauthorized access to report schedules.
Timeline
Published on: 11/18/2024 12:15:18 UTC
Last modified on: 11/20/2024 14:45:10 UTC