Critical Security Exploit in the popular e learning platform Moodle can be compromised that lets access to student data and test papers, the vulnerability can even modify exam results. The company is an open source e learning platform, used by 1,90,000 organizations across the world. Most of these organisations are educational institutes like college or university. A PHP objection vulnerability, the bug exists in Moodle's Shibboleth authentication module, which can permit malicious hackers to use RCE (Remote Code Execution), which can lead to a complete takeover of the server.
If this happens, the attacker can have access to anything on the server, like student data, passwords, messages and exam grades. Penetration testers Robin Peraglie and Johannes Moritz found the flaw, they were hunting bugs in Moodle because of the previous findings of 2 RCE vulnerabilities in Moodle software.
According to them, the vulnerability only exists in the Moodle LMS server having Shibboleth sign-in authentication allowed. It is disabled by default, which is a relief to the educational institutions that use the module. But in case if it's enabled, unauthorized hackers can perform a remote execution- arbitrary system commands. If this happens, it can lead to a complete hack of the server including user data leakage. Students can also use to it tamper with the exams before it actually happens.
As per experts, the vulnerability is very easy to exploit. "After reporting the issue to Bugcrowd and, following a lengthy disclosure process, the flaw has now been patched.
It took four months for the vulnerability to be triaged, revealed Moritz, who said he had the impression it was not treated as a priority.
When asked why they didn’t report it directly to Moodle, which has its own vulnerability disclosure program, the researcher said they are “quite inflexible with providing patches because of their two-month release cycle”.
Moritz did, however, reveal that the team also found a second critical Moodle pre-authentication bug – details of which will be released following a separate, ongoing coordinated disclosure process," reports the Daily Swig.