Abstract Advisory Information


The “edit_blog.php” script allows a registered user to add external RSS feed resources.

It was identified that this feature could be abused to be used as a SSRF attack vector by adding a malicious URL/TCP PORT in order to target internal network or an internet hosted server, bypassing firewall rules, IP filtering and more.

This kind of vulnerability is then called “blind” because of no response available on Moodle web site, enforcing attacker to exploit it using a “time based” approach.

The discovered issue permit to perform GET request, inluding parameters that allows an attacker to potentially perform remote code execution (RCE) exploiting a vulnerability.

Author: Jean-Marie Bourbon

Version affected


Name: Moodle CMS

Versions: prior 3.1.x

Common Vulnerability Scoring System


5.0

VSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Patches


Moodle versions newer than 3.1.x have configurable options to prevent this vulnerability.

References


None

Vulnerability Disclosure Timeline


  • 14/11/2018: Vulnerability discovered
  • 16/11/2018: First contact with the vendor
  • 12/12/2018: Acknowledge from the vendor
  • 18/02/2019: Public Disclosure
  • 22/03/2019: Vendor ask for advisory modification
  • 15/04/2019:  Advisory update