Abstract Advisory Information
The “edit_blog.php” script allows a registered user to add external RSS feed resources.
It was identified that this feature could be abused to be used as a SSRF attack vector by adding a malicious URL/TCP PORT in order to target internal network or an internet hosted server, bypassing firewall rules, IP filtering and more.
This kind of vulnerability is then called “blind” because of no response available on Moodle web site, enforcing attacker to exploit it using a “time based” approach.
The discovered issue permit to perform GET request, inluding parameters that allows an attacker to potentially perform remote code execution (RCE) exploiting a vulnerability.
Authors: Jean-Marie Bourbon
Version affected
Name: Moodle CMS
Versions: prior 3.1.x
Common Vulnerability Scoring System
5.0
VSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Patches
Moodle versions newer than 3.1.x have configurable options to prevent this vulnerability.
References
None
Vulnerability Disclosure Timeline
- 14/11/2018: Vulnerability discovered
- 16/11/2018: First contact with the vendor
- 12/12/2018: Acknowledge from the vendor
- 18/02/2019: Public Disclosure
- 22/03/2019: Vendor ask for advisory modification
- 15/04/2019: Advisory update