This flaw allowed an attacker to remove a course's badge alignment, thereby preventing it from being viewed by certain students. The Moodle team discovered this issue, fixed it, and pushed out an update to all 3.x versions where it was applicable. Unfortunately, there are still some users running unsupported versions of Moodle that are still at risk. Anyone who is still running an unsupported version of Moodle should update their software as soon as possible.
An attacker must be able to convince a user to visit a malicious website. In order for this to occur, the victim must either visit a malicious link in a message, email, or social media post or download a malicious file from a compromised website. Once Moodle is accessed in this fashion, an attacker can attempt to perform a CSRF attack against the user by sending a request for the "delete badge alignment" functionality.
What is CSRF?
A Cross-site request forgery (CSRF) is an attack that forces a user's web browser to perform an unwanted action on a web site that they are currently viewing. CSRF attacks take advantage of the fact that most applications will trust requests that originate from their own domain.
In the Moodle case, CSRF attacks allow an attacker to remove a course's badge alignment without permission, which prevents it from being viewed by certain students.
CSRF protection in Moodle 3.x
The vulnerability described in this article has been addressed in the following version of Moodle:
- Moodle 3.x on 1st May 2018
If you are still using a version of Moodle that is older than 1st May 2018, it is recommended that you upgrade your software to the latest version.
What you can do to protect yourself from CSRF attacks
The best way to protect yourself from CSRF attacks is to not visit malicious websites. It is also important that the web browser does not trust any links in emails, messages, or social media posts. Finally, be sure that your plugin configuration file does not contain a custom function with the same name as a Moodle function.
How to Outsource SEO Correctly & Avoid the 5 Most Common Mistakes
What you'll need for this to work
The attacker will need to convince a user who is running an unsupported version of Moodle that they are a student, and then send them to the malicious site. In order for this to work, they must be able to create message content with a link to the malicious website.