CVE-2024-38275
📋 TL;DR
The cURL wrapper in Moodle fails to strip HTTP authorization headers when following redirects, potentially exposing authentication credentials to third-party servers. This affects all Moodle instances using the vulnerable cURL wrapper functionality. Attackers could intercept or receive sensitive authentication information.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Authentication credentials (including admin credentials) are sent to malicious redirect servers, leading to complete system compromise and data exfiltration.
Likely Case
User session tokens or API keys are leaked to legitimate third-party services, enabling unauthorized access to those services.
If Mitigated
Limited exposure if redirects only go to trusted internal services, but still violates security boundaries.
🎯 Exploit Status
Exploitation requires the attacker to control a redirect target URL that Moodle follows. This could be achieved through various means including compromised third-party services or malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.2, 4.3.8, 4.2.11, 4.1.14, or 4.0.16
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=459500
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Download the appropriate patched version from moodle.org. 3. Replace the vulnerable files with patched versions. 4. Run the upgrade process through the web interface or CLI.
🔧 Temporary Workarounds
Disable cURL redirect following
allConfigure Moodle to not follow HTTP redirects when using cURL wrapper
Edit config.php and set: $CFG->curl_allow_redirects = false;
Restrict redirect domains
allConfigure cURL to only follow redirects to trusted domains
Edit config.php and set: $CFG->curl_redirect_allowed_domains = ['trusted-domain.com'];
🧯 If You Can't Patch
- Implement network monitoring for HTTP requests containing authorization headers to unexpected domains
- Review and audit all external services Moodle interacts with to ensure they are trusted
🔍 How to Verify
Check if Vulnerable:
Check your Moodle version against affected versions. Review config.php for cURL redirect settings.Check Version:
php admin/cli/check_database_schema.php | grep 'Moodle version' or check Site administration > NotificationsVerify Fix Applied:
Verify Moodle version is patched (4.4.2+ or appropriate backport). Test that authorization headers are not sent to redirect targets.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with authorization headers to unexpected domains
- Multiple redirects in cURL operations
Network Indicators:
- Outbound HTTP requests containing Authorization headers to non-Moodle domains
- Unexpected redirect chains in HTTP traffic
SIEM Query:
source="moodle_logs" AND (message="redirect" OR message="curl") AND message="authorization"