ProCheckUp Security Advisory 2008.16

Type packetstorm
Reporter ProCheckUp
Modified 2008-07-23T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
PR08-16: CSRF (Cross-site Request Forgery) on Moodle edit profile page  
Vulnerability found: 25/06/2008  
Vendor informed: 28/06/2008  
Vulnerability fixed: 16/07/2008  
Advisory publicly released: 22/07/2008  
Severity: High  
HTTP requests can be forged due to lack of tokenization. By tricking the  
victim to visit a third-party page while being logged in, certain  
actions can be forged on behalf of the target user.  
- - The victim's user ID ('id') parameter and course ID ('course'  
parameter) are required for a successful attack. However, such values  
are public as they can be obtained from many sections of the site such as:  
user blogs ('/blog/')  
public profiles. i.e.: '/user/view.php?id=2&course=1',  
or even predicted. i.e.: the user ID of the admin account would be 2.  
- - The fields surname, email address and department are supposed to be  
non-editable by students. However, such restriction is only graphical  
(fields are "type='hidden'"). A student can save the form on his desktop  
and change the values of such fields. Once the form is resubmitted, the  
values would remain persistently changed in the application.  
- - Moodle reveals its version within HTML source code. i.e.: <a  
title="moodle 1.6.5 + (2006050550)" href="">  
Proof of concept (code available on  
The following steps can be followed by the attacker to fully compromise  
the target Moodle site (gain administrative access):  
1. Locate course ID and user ID of administrator user from public  
profile. By default the admin's course ID is 1, and his user ID is 2.  
2. Get administrator's email address (also included in public profile)  
3. Send social engineering email to administrator in order to trick him  
to visit the CSRF PoC URL while being logged in. The PoC URL simply  
loads a form that submits automatically and changes the victim's profile  
settings to include information chosen by the attacker. i.e.: attacker's  
email address.  
~ Example PoC URL:  
(see the contents of 'moodle_CSRF_poc.php.txt' for more information)  
4. Now the attacker can compromise the targeted account by requesting a  
"password reset link" and supplying the email address used in the CSRF  
attack payload  
Due to the cross-user interaction nature of Moodle, there are many other  
ways the victim user could be tricked to click on the PoC URL. i.e.: by  
posting it in a blog post, chat session, etc.  
Tested environment:  
Server: Apache/2.2.2 (Unix) PHP/5.2.1 mod_ssl/2.2.2 OpenSSL/0.9.7l  
Moodle 1.6.5 + (2006050550)  
Versions affected as confirmed by the vendor:  
1.6, 1.7, 1.7.4, 1.7.3, 1.7.2, 1.7.1, 1.6.6, 1.6.5, 1.6.4, 1.6.3, 1.6.2,  
Not vulnerable: 1.6.7, 1.7.5  
By forging "interesting" requests, the victim's account can be  
compromised. i.e.: "Edit profile" (/user/editadvanced.php?id=2&course=1)  
which can change the victim's password to the one chosen by the attacker.  
By targetting an administrator account, the attacker can fully  
compromise the target Moodle site.  
This issue has been tracked as MDL-15450.  
Upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch  
Credits: Amir Azam and Adrian Pastor of ProCheckUp Ltd. (  
ProCheckUp would like to thank Petr Skoda and the rest of the Moodle  
team for their excellent response time and cooperation towards resolving  
this matter.  
Copyright 2008 Procheckup Ltd. All rights reserved.  
Permission is granted for copying and circulating this Bulletin to the  
Internet community for the purpose of alerting them to problems, if and  
only if, the Bulletin is not edited or changed in any way, is attributed  
to Procheckup, and provided such reproduction and/or distribution is  
performed for non-commercial purposes.  
Any other use of this information is prohibited. Procheckup is not  
liable for any misuse of this information by any third party.  
Version: GnuPG v1.4.6 (GNU/Linux)