CVE-2024-34002
📋 TL;DR
This vulnerability allows a Moodle user with specific permissions to execute local file includes in misconfigured shared hosting environments. Attackers could read sensitive files from the server if they have both feedback module restore access and direct web server access outside Moodle's webroot. Only affects Moodle installations on shared hosting with improper access controls.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attacker reads sensitive server files including configuration files, database credentials, or other users' data, potentially leading to full system compromise.
Likely Case
Unauthorized access to other users' Moodle content and limited file reading within accessible directories.
If Mitigated
No impact with proper shared hosting isolation and Moodle permission controls.
🎯 Exploit Status
Requires authenticated user with specific permissions and misconfigured hosting environment
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moodle security releases for specific version
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=458390
Restart Required: No
Instructions:
1. Check Moodle security advisory for patched version. 2. Update Moodle to latest secure version. 3. Verify shared hosting configuration isolates user directories.
🔧 Temporary Workarounds
Restrict shared hosting permissions
linuxEnsure shared hosting properly isolates user directories and prevents cross-user file access
# Configure web server to enforce user isolation
# Example for Apache: Use mod_ruid2 or similar modules
Limit Moodle permissions
allReview and restrict 'restore feedback modules' capability to trusted users only
# In Moodle admin: Site administration > Users > Permissions > Define roles
# Review 'restore feedback modules' capability assignments
🧯 If You Can't Patch
- Audit and fix shared hosting configuration to ensure proper user isolation
- Review and minimize user permissions for 'restore feedback modules' capability
🔍 How to Verify
Check if Vulnerable:
Check if: 1) Running Moodle on shared hosting, 2) Hosting allows cross-user file access, 3) Users have 'restore feedback modules' capabilityCheck Version:
Check Moodle version in Site administration > Notifications or via CLI: php admin/cli/version.phpVerify Fix Applied:
1. Confirm Moodle updated to patched version. 2. Test that shared hosting properly isolates user directories. 3. Verify permission restrictions are in place.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- Multiple failed attempts to access files outside expected paths
Network Indicators:
- Unusual file include requests in HTTP traffic
SIEM Query:
web_server_logs WHERE (url CONTAINS '../' OR url CONTAINS 'file=') AND response_code=200