Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-63436

[Affected all Moodle Version] Exposing Oauth2 database table name in Oauth2 flow due to improper handling of id parameter

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a bug
    • Affects Version/s: 3.5.2
    • Fix Version/s: None
    • Labels:
      None
    • Affected Branches:
      MOODLE_35_STABLE

      Description

      Hi Moodle Security Team,

      Issue:

      There is a leak of Oauth2 database table name in Oauth2 flow due to improper handling of id parameter while login with any third party integration such as google, facebook, microsoft, linkedin etc.

      The id parameter is not properly sanitized which causes an exception and throws an error with Oauth2 database table name that is : "oauth2_issuer"

       

      Steps To Reproduce:
       
      1. Go to any vulnerable moddle endpoint which has 3rd party integration such as below:
      **
      *https://www.integrating-technology.org/login/index.php*
       
      b) Click on login with google, microsoft, linkedin or any. Now Before redirecting copy the link url and manipulate the id parameter before the oauth2 flow.

      c) Change login.php?id={id} to any other junk id such as id=123432532 or 3224' ( or any other number )
       
      c) You will see the error which will leak the oauth table name from the database i.e "oauth2_issuer"
       
      You can also go to below endpoint directly to see the leak:**
       
      *https://www.integrating-technology.org/auth/oauth2/login.php?id=1999999999&wantsurl=%2F&sesskey=czGm8Bi2x6*
       

      **I have made some of the companies fix this bug which are using Moodle and as this bug is from vendor side that is "moodle itself" so you should fix this asap.

      I have attached images :

      *https://drive.google.com/open?id=1zO7uoYN5A_Ny21RA_N7of3hTpJHih_9T*

       

      Regards.

      Kunal Bahl

       

       

       

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: