Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle
Surprisingly often, implementations include functionality where user input is passed to dangerous functions like PHP’s eval()
- despite clear warnings.
Often, devs are somewhat aware of this danger and attempt to sanitize the input, but this approach is rarely as robust as assumed.
In this post, we will show you how we bypassed the sanitization attempts of the popular learning platform Moodle to achieve remote code execution, and demonstrate why it is always best to stick to the famous quote from Rasmus Lersdorf, creator of PHP:
If eval() is the answer, you’re almost certainly asking the wrong question.
The vulnerability was corrected in Moodle versions 4.4.2, 4.3.6, 4.2.9, and 4.1.12 released Aug 10, 2024.
Read more