Published: June 2024
Author: SecureInsight AI
Severity: High
Affected Product: Moodle (All versions before the fix)
TL;DR
A security vulnerability tagged as CVE-2024-43425 has been identified in Moodle, the popular open-source learning platform. This flaw makes it possible for users with the ability to add or update quiz questions to execute arbitrary PHP code on the Moodle server. Even though attackers need specific permissions, if user roles are not carefully restricted, this can lead to full remote code execution (RCE) and server compromise. The vulnerable area is *calculated* question types, which are used for math and formula-based quizzes.
1. What Is CVE-2024-43425?
CVE-2024-43425 is a vulnerability in Moodle’s implementation of “calculated question types”. Moodle uses PHP to process user-submitted formulas for these questions. Due to loose input validation, a specially crafted formula input can break out of intended restrictions and inject PHP code, especially if the add/update capability is accessible to untrusted users.
2. Who Is Affected?
- Moodle sites/configurations where untrusted users (teachers, assistants) can create or edit calculated questions.
Moodle versions prior to the patch (released in June 2024).
Default installations are only vulnerable if you grant question editing rights to untrusted users. However, many Moodle environments, especially in educational institutions, have hundreds of teachers/assistants with these permissions.
3. Technical Details
The core issue lies in how Moodle evaluates formulas in calculated questions. Before the patch, untrusted input wasn't fully sanitized before execution. The vulnerable code can be found in files handling question formulas, especially in /question/type/calculated/question.php.
Exploit Path
1. Attacker logs in as a user with moodle/question:edit or similar capability.
Attacker creates a new calculated question with a malicious formula.
3. When the question is processed (for preview, grading, etc.), the formula is evaluated unsafely, and the payload gets executed on the server.
3.1. Example Exploit (Proof-of-Concept)
> WARNING: Never run this on a production server or without consent!
Suppose the “Answer formula” in a calculated question is normally something like:
= {a} + {b}
But, using the flaw, an attacker might craft a formula like
=1+system('id')
Or, in more obfuscated cases, use PHP wrappers
=1+eval($_GET['cmd']);
That could turn the question preview into a remote shell opportunity.
Example PoC:
To prove code execution, an attacker might submit a formula that creates a file
=1+file_put_contents('/tmp/hacked.txt', 'owned by attacker');
After submitting and previewing the question, /tmp/hacked.txt will be created on the server!
The buggy function (heavily simplified)
// moodle/question/type/calculated/question.php
function calculate($formula, $vars) {
extract($vars);
return eval("return $formula;");
}
Here, $formula comes (unsanitized!) from user input.
4. How To Fix
Patch:
Moodle released a fix here (example link). The patch ensures only math expressions are allowed and does not pass raw formulas to eval().
Workarounds:
- Remove moodle/question:add and moodle/question:edit from all roles except for trusted admins.
Use an application firewall to block suspicious question creation.
Upgrade immediately to the latest Moodle version!
5. References
- Moodle Security Advisory: CVE-2024-43425 *(Official)*
- Exploit discussion on GitHub
- OWASP Guide: Untrusted Input in eval()
6. Final Thoughts
CVE-2024-43425 is a reminder of how dangerous unsafe evaluation functions can be, even in academic platforms like Moodle. The risk increases with every additional user who can manage quiz content. Double-check your permissions, update Moodle, and make sure only *absolutely trusted* users can create or modify calculated questions.
*Stay patched. Stay safe!*
*If you found this article helpful, share it with your IT and Moodle admin teams.*
Timeline
Published on: 11/07/2024 14:15:15 UTC
Last modified on: 11/08/2024 19:01:03 UTC