Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Not a bug
-
Affects Version/s: 3.9.2
-
Fix Version/s: None
-
Component/s: Authentication, User management
-
Affected Branches:MOODLE_39_STABLE
Description
Hello,
I'm Ge5iveK. I'm reporting Sessions-Based Insecure Direct Object Reference (IDOR) allowing unauthenticated user profile access in latest Moodle version 3.9.2 and possibly earlier versions. I have previously sent an email to moodle security, but there hasn't been any confirmation since a week, so I'm trying to report again using the tracker.
1.0 INTRODUCTION
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.
2.0 ISSUE
I recently tested for IDOR in Moodle and found that the proof of concept I'm going to give you was exploitable in all the institutions that I tested, that used Moodle.
I wanted to access all the online users (students) profile with my student account. So, I intercepted the GET request made for getting a student's profile. Surprisingly, I was able to just change the ID paramater and I could access an online student's profile. I tested this again after locally installing moodle and testing in a safer reportable manner. I found the same results. I tested using different devices for simulating real world students, and found the same result.
2.1 PROOF OF CONCEPT (POC) / STEPS TO REPRODUCE
Video PoC already sent to security@moodle & uploaded in tracker attachment below.
1. Open 2 student accounts, and add them both to the same course.
2. Log in using both the student accounts on different containers (machines), to simulate real world login.
3. Intercept the requests when the students click on 'profile' drop-down menu item which expands when we click the profile icon on the top right corner.
4. Assume that student 1 is the attacker and student 2 is the victim.
5. Send the attacker's GET request to repeater (i'm using burpsuite).
6. Copy the ID parameter in the GET request of the victim's request and replace the attacker's ID parameter with that of the victims.
7. The attacker can now access any logged-in user's profile without moodle session change and authentication.
Usually this should be protected against in the default moodle installation.
3.0 IMPACT
The security impact for organizations using moodle is very high because there is confidential information like students' personal email, sessions time, account access location, private files upload etc., on a student's main profile page. If this IDOR can be mixed with an intruder attack, then mass access to student profiles can be made by an attacker.
4.0 CONCLUSION
Thank you for reading this responsibly disclosed report. I would kindly request the moodle team to add me in the Hall of Fame (HoF) and declare this as a Common Vulnerability Exposure (CVE) report. Thanyou again for your time reading this.
~ GeFiveK
