Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55334

Vulnerability: Denegation of Service

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.1.1
    • Fix Version/s: None
    • Component/s: Accessibility
    • Labels:
      None
    • Affected Branches:
      MOODLE_31_STABLE

      Description

      Description:
      By default, Moodle has got a public path which is accessible by everybody. The path is:

      /admin/cron.php

      For example, if you use the moodle sandbox:

      https://demo.moodle.net/admin/cron.php

      The file called cron.php is a script which is used to maintance tasks and it uses RAM memory. You can execute this file across web connection.

      In this way, a malicious user could do a program which connects every second to this path to execute this file. Therefore, the malicious user consume a lot of memory and it could cause the server is down. In security, this attack is called such as Denegation of Service (DoS).

      STEPS:

      The steps are:
      1. Connect to path http://XXXXXX/admin/cron.php or alternative paths such as http://XXXXX/moodle/admin/cron.php
      2. When you access this path, if the administrator doesn't change the default configuration, the script called cron.php is executed.
      3. Repeat the before steps all time until the web server doesn't reply. It would show a 500 Error which indicates the server is down.

      SOLUTION:

      Moodle has got a option to ban the web connection to execute the file cron.php but by default, it is disable, so if you want to solve this vulnerability, Moodle must have got this configuration option enabled by default.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                NaxHack5 Ignacio
                Participants:
                Component watchers:
                Adrian Greeve, Mihail Geshoski, Peter Dias
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: