Moodle e-learning platform fixes the session hijacking error that leads to pre authorized rce

A popular e-learning platform Moodle Session hijacking vulnerability in allows an attacker to commandeer any user's session and enable remote code execution (RCE).

last year , Maintainers of the open source platform have fixed this critical vulnerability , Thus protecting 241 A country's 2.13 Billion users and including shell 、 Microsoft and the London School of economics .

because “ Overused when configuring database session handlers PHP Of session_decode function ”, Unauthenticated flaws (CVE-2021-40691) Exist in Moodle Of Shibboleth Identity management plug-in .

The error depends on Moodle Enabled in Shibboleth Authentication .

These findings build on another preauthorization that researchers discovered in the same plug-in last year RCE above , The plug-in is triggered when the session is stored in a single file , This is the default configuration for new installations .

This bug, This is 2021 year 7 Monthly patch , This means that attackers can access student data and test papers , It may even manipulate exam results .

The researchers say , These two loopholes “ It all comes from trying to re - implement or destroy PHP Internal session mechanism of ”——“ Due to the complexity and pitfalls involved ”, This is an undesirable move .

Subsequent defects and logout_db_session() How functions are passed SOAP Each logout request received by the endpoint calls 、 Traverse all available database sessions and throw the session to session_decode Function about .

Researchers say , This decodes the serialized session data of the database , And fill with decoded data $_SESSION Super global variable —— Treat the attacker as a login with an active session per user for a fraction of a second .

Because the last session was not uninstalled ,$_SESSION It is still populated with the latest user session information . because session_decode, The session is assigned to the attacker's session cookie , Therefore, an attacker can refresh the page and hijack a random user session .

An attacker can log off to delete non administrator sessions from the database and repeat the attack , Until the administrator session surfaced —— Through the plug-in installer, you can RCE Pave the way .

This error affects version 3.11-3.11.2、3.10-3.10.6 and 3.9-3.9.9, And in 3.11.3、3.10.7 and 3.9.10 To be solved .

They are 2 month 21 Passed by Bugcrowd The error was committed , and   On 9 month 12 in GitHub A patch has been released on .