Moodle Blog Module SQL Injection Vulnerability - Heads Up

[OutToLunch]

Message below arrived over the weekend from one of the sec mailing lists - no confirmation of it on the moodle site or other mailing list members yet though...

I don't have a moodle install to test the proof of concept on but thought a few people might want to be aware if they run their Moodle in the configuration mentioned below so they can keep an eye out for security updates.

Product:
moodle 1.6.2
http://www.moodle.org

Vulnerability:
SQL injection

Notes:
- SQL injection can be used to obtain password hash
- the moodle blog "module" must be enabled
- guest access to the blog must be enabled

Left the proof of concept code out, wasn't sure it would be welcome here 8O

[Geoff]

Blog is a third party module is it not? It doesn't seem to be present on my server.

[wesleyw]

The blog module is on mine by default. BUt my Moodle site doesn't allow guest access.

Wes

[Geoff]

Nope, defineatly no blog module here. I'm using 1.6.2-STABLE. Anyway, see:

http://security.moodle.org/

There's already a fix in CVS if you wish to patch early.

http://moodle.cvs.sourceforge.net/mo....2&r2=1.18.2.3

[OutToLunch]

Whoops, how did I miss that security centre? Glad it wasn't all hot air anyway...

[Geoff]

This is also probably a good time to remind everyone to use mod_security to protect their LAMP servers.

http://www.modsecurity.org/

I'll see if I can find/cook a snort IDS rule for the above SQL injection attack.

[mighty.grey.eagle]

Nope, defineatly no blog module here. I'm using 1.6.2-STABLE.

That is probably because the blog has been turned off in the administration!!!

[Geoff]

I was looking physically at the moodle files. I presume the blog module would be hiding in "<web server root>/mod/blog" which doesn't appear to exist in our install.