Live Chat Software by Kayako
How did a Moodle security vulnerability enable remote code execution?
Posted by Thang Le Toan on 20 August 2017 11:11 PM
A series of logic flaws in Moodle enabled attackers to remotely execute code on servers. Expert Michael Cobb explains how the Moodle security vulnerability can be exploited.
A vulnerability found in Moodle, an open source, PHP-based learning management system used by tens of thousands of universities internationally, left servers and their data open to compromise. According to the researcher that discovered the issue, the Moodle security vulnerability is actually made up of several small flaws, and it can enable attackers to execute PHP code on related servers. What does this vulnerability entail, and what can be done about it?
Netanel Rubin, security researcher and CEO of Vaultra, found that by exploiting a series of minor vulnerabilities, he could chain them together to remotely execute code on a server running Moodle.
Moodle is an open source learning management system that stores a lot of sensitive information, like students' grades, tests and private data, making it an attractive target for hackers. The Moodle security vulnerability is tracked as CVE-2017-2641 and Moodle Tracker issue MDL-58010.
The attack works on almost all Moodle versions, so administrators should move to the latest version, version 3.2.2, to fix the problem as soon as possible. Besides updating to the latest version, administrators should also check for any new administrators, plug-ins or templates within Moodle, and search for any new files in the file system in case the server has been compromised.
The coding and logic flaws that contributed to this Moodle security vulnerability are a consequence of the size and complexity of the Moodle system; it contains thousands of files, hundreds of different components and around two million lines of PHP code, written and updated by various different developers at different times.
A new function, update_user_preferences, was added to Moodle to replace the update_users function. It implemented a privilege check, so even if an attacker could change settings using user preferences, it would only work on their own privileges.
While the new function removed the possibility of changing every user attribute, the code failed to check which preference was being changed. The previous function used the setuserpref.php file to check that the preference that needed to be updated was listed in the ajax_updatable_user_prefs array, which defines the preferences that can be changed via Ajax to ensure no critical values can be altered.
Ironically, in an attempt to reduce any potential abuse of the user attribute update function, the new privilege check actually introduced this Moodle security vulnerability. It's possible the developer thought that user preferences could not be exploited to mount a full-scale attack, as they only affect the graphical user interface part of the system.
However, the lack of containment enables an object injection attack to update any row in the entire database, such as administrator accounts, passwords and site configuration. Rubin discovered that this and other false assumptions made during code development could be leveraged to eventually execute PHP code on the server.
Logic flaws can and will occur in any system featuring a large code base, particularly when it's developed over a long period of time by a changing team of developers.
According to Steve McConnell, author of Code Complete, software projects that reach 512,000 lines of code or more can see four to 100 coding errors per thousand lines of code. A typical web application utilizes multiple languages, such as Java, HTML, PHP, Python, CSS, third-party libraries and components, and so on, and there are very few developers that know or understand how to use and integrate each of them without introducing any security vulnerabilities.
To reduce the chances of developers introducing logic flaws or omitting security and validation checks, it should be a requirement that they add a minimum level of in-code comments using an agreed-upon comment style, along with more verbose supporting documentation. Wikipedia has a comprehensive list of comment styles.
Although time spent on commenting and documenting code will slow down development, it will ensure developers making changes in the future can fully understand what a function does, how it does it and what checks are required on the data it handles. It is important that functions receiving data passed by other functions don't carry the assumption that the data has already been validated, as the previous function may have validated it against a different set of requirements or rules.
A good example is a telephone number. A function to retrieve and display a user's telephone number from a database may well accept + and () symbols, but if that function then passes the data to a function that actually calls the number, these characters could cause the function to fail if they are not removed before being processed.
Ask the expert:
How does your enterprise eliminate logic flaws from code development?
Read more »
Moodle Site restore for low-tech users
Posted by Thang Le Toan on 03 July 2016 11:14 PM
This page is a work in progress in November 2010.
There are 3 areas of Moodle that should be backuped and thus can be restored:
The location of these areas can be found in the Configuration file.
Here are some ways to restore typical Moodledata bases such as MySQL
The phpMyAdmin restore process is about as simple as it's backup process. To restore:
Restoring a backup of a MySql database
There are 2 areas which can use the same techniques to backup and restore because they are stored in files and folders"
Read more »
Moodle Site restore
Posted by Thang Le Toan on 03 July 2016 11:13 PM
If you have followed the Site backup instructions and created a backup of a Moodle site, you may need to know how to restore the site backup you created.
There are 3 areas that could be restored individually or together:
The location and names of these areas can be found in the Configuration file.
Command line (linux) restore
Here is a set of basic steps that make up the restore process.
1. Rename the original Moodle directory to something different (so you still have it) and copy the backed up Moodle directory or a newly downloaded Moodle directory in its place.
2. If you are running MySQL, a backup of the database should be a .sql, .gz or .tar.gz file. If it is .tar.gz or .gz you need to extract it until it is an sql file.
tar -xzvf moodlesqlfile.tar.gz
3. If you are running mysql, import the SQL file back into a newly created database on the MySQL server. Be careful here, some backups try to import right back into the same working database that Moodle is connected to. This causes database problems that damage a Moodle installation. The best thing to do is make a new database, restore the backed up database into it, and change the Moodle config.php file to connect to this new database (this way you still have the original database).
Once you have created the new database:
mysql -p new_database < moodlesqlfile.sql
For other databases, follow their instructions for restoring a backup.
Tools for site backup and restore
Tools for backing up data files
Restore with phpMyAdmin
Restoring a backup of a MySql database
What are the pros and cons of course versus site backups?
Site backups are recommended in order to have all data saved with the best confidence and the shortest recovery time.
For a site administrator, automated course backups are more expensive in terms of time, CPU usage and storage. The recovery time to have a site running again takes longer than a site backup. However, teachers and site administrators might find a course backups as a way to create a "fresh" copy of a course that can be re-used (in older versions of Moodle, in newer versions see Import course data) or as a method to distribute a course(s) to other Moodle sites.
Why is my automated course backup much smaller in size than my manual course backup?
This is an intentional design decision. Because of the way files are stored in Moodle 2.x, there is no need to include the files in the backup if you are planning to restore them to the same Moodle site. Leaving them out saves huge amounts of disk space and makes the backup procedure much faster.
What data is not contained in course backups?
By selecting all the options when setting up the backup you can include almost all the data in the course. However you should be aware of the fact that some things are not backed up:
Why is there no "all/none" feature when selecting items to backup?
This was enabled in MDL-32705 and is available in Moodle 2.3.2 onwards.
The process ends with: "Error: An error occurred deleting old backup data". What should I do?
This part of the backup (or restore) procedure tries to delete old info, used in previous executions, performing the following tasks:
For points 1 & 2, there are various ways of repairing tables, including using MySQL Admin.
For point 3 see below:
The error message states that the "directory not empty" and gives the path to that directory. If you go there with an FTP program you can see what is there and clean up. It could be just some empty subfolders that were leftover. Deleting these has been able to help. One can also delete the dir "moodledata/temp/backup" completely. That can take a bit longer but may solve several problems at once.
The process ends with: "XML error: not well-formed (invalid token) at line YYYY". What can I do?
This problem can appear at any point in the restore process. It's caused when the XML parser detects something incorrect in the backup file that prevent correct operation. Usually, it's caused by some "illegal" characters added in the original course due to some copy/paste of text containing them (control characters, or invalid sequences...).
The best method to handle this issue is:
Also, if possible, it's highly recommended to solve those problems in the original course too from Moodle itself. Once "repaired" there, problems will be out if you create new backup files in the future.
The process ends with: "moodle xml not found at root level of zip file". What can I do?
If you are restoring from a zip file backup make sure the moodle.xml file is at the root level. To ensure this:
If the backup file is guaranteed to be correct, check paths to external files (zip, unzip). Incorrect settings also lead to this error message (see the Using Moodle forum discussion moodle.xml not found in root... and MDL-14812).
The process ends with: "An error occurred while copying the zip file..."
This problem is most likely caused by a permissions issue in the destination directory. Backup files are copied to "XXX/backupdata" under your dataroot directory (where XXX is the id of the course being backed up).
The problem could also be caused by a disk being full, though this is far less likely.
To obtain precise information about what's happening, you can enable debug messages in Administration > Server > Debugging (select the maximum level - DEVELOPER) and/or check the web server error logs.
I Still get an XML error. How can I clean the borked XML file?
In some cases XML backup files may contain characters causing the restore process to abort, even after the steps described in the previous question. In such cases you may want to try the following:
java -jar atlassian-xml-cleaner-0.1.jar moodle-unclean.xml > moodle.xml
What does "Some of your courses weren't saved!!" mean?
There are three possible causes of this problem:
Why are some courses being skipped?
Course backups automatically skip courses which are unavailable to students and have not been changed in the time period specified in 'Skip courses not modified' in Settings > Site administration > > Courses > Backups > Automated backup setup (by default 30 days).
Why does restore stop, rather than completing?
Attempting to restore a course to an older version of Moodle than the one the course was backed up on can result in the restore process failing to complete. To ensure a successful restore, make sure that the version of Moodle you are restoring the course to is the same, or newer, than the one the course was backed up on.
If it stop unexpectedly with no errors shown try again with Debugging switched on. Any errors you now see can help experts in the support forums diagnose your problem. You can also check the discussion links in the See also section below for further advice.
Restore stops with the message "Trying to restore user xxxx from backup file will cause conflict"
This message is displayed when:
If 1, 2 and 3 are all true, the restore process stops in order to prevent the backup user xxxx's activities (forum posts, quiz attempts, assignment uploads, etc) from being associated with the target site user xxxx.
These checks and behaviour were introduced in Moodle 1.9.x and continue being valid under 2.0. It's common for the user in question to be the "admin" user (which exists in practically all Moodle installations).
There are two possible methods to make the xxxx users match (and avoid the conflict):
a) Modify the backup archive users.xml file and make the email or firstaccess fields match the ones in target site.
Method a) is recommended so the restore process will match both xxxx users and all activities in the backup file belonging to xxxx will be associated to the already existing target site user xxxx user.
NOTE: When using method a) be aware that the moodle-filename-backup.mbz is a zip file and can be renamed to moodle-filename-backup.zip and unzipped. When editing is complete, rezip and then rename using the original file name with the "*.mbz" extention.
Inter-activity links must be absolute (full) URLs e.g.
in order to be processed properly during backup and restore. Any relative URLs e.g.
will result in broken links when the course is restored.
I have a very large course, over 2GB, and the backup process stops.
Larger courses can be restored in Moodle, but sometimes it needs a bit of tweaking to get it right. Moodle backup files are *.mbz fies and can be renamed to zip files. They can be unzipped, then edited, rezipped and restored. It does not matter if you are using a Linux or Windows or Mac server, a local host or anything else, the technique is the same.
The editing comes in two different ways, one is the resources, activities, quizzes, images. video files and so on are listed, written and referred to in the moodle.xml file. You can find the starting point and the end point of each resouce that you can delete out of the xml file.
The xml might look something like this:
<file id="111"> <contenthash>b11ac9bc0cebee17acfd28d13b548331f76645bc</contenthash> <contextid>21</contextid> <component>mod_resource</component> <filearea>content</filearea> <itemid>0</itemid> <filepath>/</filepath> <filename>howtomakeatimemachine.flv</filename> <userid>4</userid> <filesize>1092320586557</filesize> <mimetype>video/flv</mimetype> <status>0</status> <timecreated>12345432123</timecreated> <timemodified>12345432123</timemodified> <source>howtomakeatimemachine.flv</source> <author>Fred Nurks</author> <license>allrightsreserved</license> <sortorder>0</sortorder> <repositorytype>$@NULL@$</repositorytype> <repositoryid>$@NULL@$</repositoryid> <reference>$@NULL@$</reference> </file>
When editing, make sure all this is deleted, everything between the <file></file> tags.
The second part of editing is locating the actual resouce if it is an image, a separate file or video then deleting it. Really large mbz files tend to have a lot of videos, often flv files, or uncompressed images, like tiffs. They can be found, and deleted easily, in the directory tree of the backup.
You can then rezip the edited file, rename it to an mbz and, if you have edited it right, it should restore. You can use the original file to break down really large backups over and over into four or five smaller mbz files, as many as you like.
It is recommended that you test the technique first on a smaller file, it is easier to follow and gets you used to xml structuring and so on. Say one course with a couple of pages, a number of different image types, a couple of videos will help you immensely.
You do not have to worry about permissions in Windows or Xos servers, or concern yourself with editing rights usually. However, you may be required to ensure you are the owner fo the files being edited.
NOTE: Before re-zipping, check to make sure you have removed all references to the pages/files/resources you have deleted in the moodle-backup.xml file as well. here msay be none, but check anyway.
How can I extract original files from a Moodle backup file?
If you really want to get original files from the backup file (an ".mbz" file) you downloaded (using the backup and restore feature), you can do so in much the same way as is suggested above.
The backup file can actually be opened with any zip/unzip program you can download. Once you open the file, you need to extract:
The files.xml file. The files directory (folder).
Next step would be to open the "files.xml" file in a text editor, and:
Search for the name of each file you want to get. Take note of the value of the corresponding contenthash tag. In the "files" folder you extracted, locate the file whose name is the same as the value of the contenthash and which will always be located in a folder whose name corresponds to the two first characters of the file name.
For example, let's assume there is a "backup_courses-120730.mbz" file of which the "files.xml" file and the "files" folder have been extracted. There is a PDF file named "Leadership.pdf" that is required for another purpose.
Open the files.xml file and:
1. Search for the string "Leadership.pdf", which in this case is found under the following <file id...> group tag:
<file id="12345"> <contenthash>fb6cf43a9b2d432403c70a2cb4c340dbb6225631</contenthash> : <filename>Leadership.pdf</filename> : <license>allrightsreserved</license> <sortorder>1</sortorder> </file>
2. Take note of the corresponding contenthash value: fb6cf43a9b2d432403c70a2cb4c340dbb6225631.
3. As the first two characters of the contenthash are "fb", open the "fb" folder inside the "files" directory (which was previously extracted), and there is a file named "fb6cf43a9b...". Rename that file as "Leadership.pdf", and then move it to another location. Repeat this for all the files required, using the correct contenthash value of course.
What happens if I restore a backup containing an assignment from Moodle 2.2 and older?
The assignment activity module was completely rewritten in Moodle 2.3. Thus, assignments from Moodle 2.2 and older (e.g. from Moodle 1.9) need to be upgraded in order to continue being usable. See the section 'Restoring course backups from Moodle 2.2 and older' in Assignment upgrade tool for details of what to do
Read more »
MOODLE Site Backup for Low-tech Users
Posted by Thang Le Toan on 03 July 2016 10:51 PM
This page is written for Moodle site administrators who are interested in learning about site backup and restore process, but who are not familiar with code, command lines or website administration. For others please see Site backup.
A complete Moodle site backup involves 3 things: the Moodle code, the moodledata folder and the MySQL tables. A course backup and download off site is always a best practice but it only involves parts of the moodledata folder and SQL table.
Read more »