Listen to this Post
This vulnerability in Moodle arises due to Insecure Direct Object Reference (IDOR) in the RSS block component. The flaw allows attackers to bypass capability checks and access restricted RSS feeds by manipulating feed IDs. Moodle fails to validate user permissions when fetching RSS feed content, enabling unauthorized data exposure. Attackers can exploit this by crafting requests with incremental feed IDs or guessing valid identifiers. The vulnerability affects multiple Moodle versions, including branches 4.1.x to 4.5.x.
DailyCVE Form:
Platform: Moodle
Version: <4.1.18, 4.3.0-4.3.11, 4.4.0-4.4.7, 4.5.0-4.5.3
Vulnerability: IDOR
Severity: Moderate
Date: Apr 25, 2025
What Undercode Say:
Exploit:
1. Identify target Moodle instance (e.g., `example.com/moodle`).
2. Enumerate RSS feed IDs:
for id in {1..100}; do curl -s "http://example.com/moodle/blocks/rss_client/feed.php?id=$id" | grep "<>"; done
3. Extract sensitive feed data via unauthenticated requests.
Mitigation:
- Upgrade to patched versions (4.1.18, 4.3.12, 4.4.8, 4.5.4).
2. Implement proper capability checks in `blocks/rss_client/feed.php`:
require_capability('block/rss_client:manageanyfeeds', $context);
3. Apply input validation:
$feedid = required_param('id', PARAM_INT);
if (!$DB->record_exists('block_rss_client', ['id' => $feedid])) { die('Invalid feed'); }
Detection:
1. Audit logs for suspicious RSS feed access:
SELECT FROM mdl_log WHERE action LIKE '%rss%' AND userid=0;
2. Monitor unexpected traffic to `feed.php`.
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
