Message below arrived over the weekend from one of the sec mailing lists - no confirmation of it on the moodle site or other mailing list members yet though...
I don't have a moodle install to test the proof of concept on but thought a few people might want to be aware if they run their Moodle in the configuration mentioned below so they can keep an eye out for security updates.
Left the proof of concept code out, wasn't sure it would be welcome here 8OProduct:
moodle 1.6.2
http://www.moodle.org
Vulnerability:
SQL injection
Notes:
- SQL injection can be used to obtain password hash
- the moodle blog "module" must be enabled
- guest access to the blog must be enabled
Blog is a third party module is it not? It doesn't seem to be present on my server.
The blog module is on mine by default. BUt my Moodle site doesn't allow guest access.
Wes
Nope, defineatly no blog module here. I'm using 1.6.2-STABLE. Anyway, see:
http://security.moodle.org/
There's already a fix in CVS if you wish to patch early.
http://moodle.cvs.sourceforge.net/mo....2&r2=1.18.2.3
Whoops, how did I miss that security centre? Glad it wasn't all hot air anyway...
This is also probably a good time to remind everyone to use mod_security to protect their LAMP servers.
http://www.modsecurity.org/
I'll see if I can find/cook a snort IDS rule for the above SQL injection attack.
That is probably because the blog has been turned off in the administration!!!Originally Posted by Geoff
I was looking physically at the moodle files. I presume the blog module would be hiding in "<web server root>/mod/blog" which doesn't appear to exist in our install.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote