+ Post New Thread
Results 1 to 8 of 8
Virtual Learning Platforms Thread, Moodle Blog Module SQL Injection Vulnerability - Heads Up in Technical; Message below arrived over the weekend from one of the sec mailing lists - no confirmation of it on the ...
  1. #1

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65

    Moodle Blog Module SQL Injection Vulnerability - Heads Up

    Message below arrived over the weekend from one of the sec mailing lists - no confirmation of it on the moodle site or other mailing list members yet though...

    I don't have a moodle install to test the proof of concept on but thought a few people might want to be aware if they run their Moodle in the configuration mentioned below so they can keep an eye out for security updates.

    Product:
    moodle 1.6.2
    http://www.moodle.org

    Vulnerability:
    SQL injection

    Notes:
    - SQL injection can be used to obtain password hash
    - the moodle blog "module" must be enabled
    - guest access to the blog must be enabled
    Left the proof of concept code out, wasn't sure it would be welcome here 8O

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Moodle Blog Module SQL Injection Vulnerability - Heads Up

    Blog is a third party module is it not? It doesn't seem to be present on my server.

  3. #3
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,205
    Thank Post
    223
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30

    Re: Moodle Blog Module SQL Injection Vulnerability - Heads Up

    The blog module is on mine by default. BUt my Moodle site doesn't allow guest access.

    Wes

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Moodle Blog Module SQL Injection Vulnerability - Heads Up

    Nope, defineatly no blog module here. I'm using 1.6.2-STABLE. Anyway, see:

    http://security.moodle.org/

    There's already a fix in CVS if you wish to patch early.

    http://moodle.cvs.sourceforge.net/mo....2&r2=1.18.2.3

  5. #5

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65

    Re: Moodle Blog Module SQL Injection Vulnerability - Heads Up

    Whoops, how did I miss that security centre? Glad it wasn't all hot air anyway...

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Moodle Blog Module SQL Injection Vulnerability - Heads Up

    This is also probably a good time to remind everyone to use mod_security to protect their LAMP servers.

    http://www.modsecurity.org/

    I'll see if I can find/cook a snort IDS rule for the above SQL injection attack.

  7. #7

    Join Date
    Oct 2005
    Location
    Lancashire
    Posts
    110
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Moodle Blog Module SQL Injection Vulnerability - Heads U

    Quote Originally Posted by Geoff
    Nope, defineatly no blog module here. I'm using 1.6.2-STABLE.
    That is probably because the blog has been turned off in the administration!!!

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Moodle Blog Module SQL Injection Vulnerability - Heads Up

    I was looking physically at the moodle files. I presume the blog module would be hiding in "<web server root>/mod/blog" which doesn't appear to exist in our install.

SHARE:
+ Post New Thread

Similar Threads

  1. Proxy Heads Up
    By budgester in forum How do you do....it?
    Replies: 4
    Last Post: 13th December 2007, 05:54 PM
  2. Heads up!
    By Ric_ in forum Our Advertisers
    Replies: 1
    Last Post: 5th July 2007, 09:30 PM
  3. Heads up
    By Face-Man in forum General Chat
    Replies: 29
    Last Post: 8th March 2006, 11:56 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •