CVE-2022-31372
📋 TL;DR
CVE-2022-31372 is a path traversal vulnerability in Wiris Mathtype v7.28.0 that allows attackers to access arbitrary files on the server by manipulating the resourceFile parameter. This affects Moodle installations using the vulnerable Wiris Mathtype plugin. Attackers can potentially read sensitive server files through crafted HTTP requests.
💻 Affected Systems
- Wiris Mathtype Moodle Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive server files including configuration files, source code, or system files, potentially leading to credential theft, system compromise, or data exfiltration.
Likely Case
Unauthorized file disclosure from the web server's accessible directories, potentially exposing application configuration or user data.
If Mitigated
Limited impact with proper file permissions and web server restrictions, potentially only exposing non-sensitive application files.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable resource handler endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 037ce9c1d9b9642689a332b6ebee8eaf0a737576
Vendor Advisory: https://github.com/wiris/moodle-filter_wiris/commit/037ce9c1d9b9642689a332b6ebee8eaf0a737576
Restart Required: No
Instructions:
1. Update Wiris Mathtype plugin to latest version. 2. Apply the fix from commit 037ce9c1d9b9642689a332b6ebee8eaf0a737576. 3. Clear Moodle cache if necessary.
🔧 Temporary Workarounds
Disable Wiris Mathtype Plugin
allTemporarily disable the vulnerable plugin until patching is possible
Navigate to Moodle admin panel > Plugins > Filter plugins > Disable Wiris Mathtype
Web Server Path Restriction
allConfigure web server to restrict access to the vulnerable resource handler endpoint
Add location block in nginx or Directory/File directive in Apache to restrict access to /filter/wiris/resource.php
🧯 If You Can't Patch
- Implement strict file permissions on web server directories
- Deploy WAF rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check Moodle plugin version in admin panel or examine filter/wiris/version.php file for version 7.28.0Check Version:
Check /filter/wiris/version.php or Moodle admin plugin management interfaceVerify Fix Applied:
Verify plugin version is updated beyond 7.28.0 and test resource handler endpoint with traversal attempts📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /filter/wiris/resource.php with ../ sequences
- Unusual file access patterns from web server process
Network Indicators:
- HTTP requests containing path traversal sequences to the resource handler endpoint
SIEM Query:
web_access_logs WHERE url LIKE '%/filter/wiris/resource.php%' AND (url LIKE '%../%' OR url LIKE '%..%2F%')