CVE-2024-43432
📋 TL;DR
This vulnerability in Moodle's cURL wrapper could leak HTTP authorization credentials during redirects. When Moodle follows redirects, it strips HTTPAUTH and USERPWD headers but retains other authorization headers, potentially exposing credentials to unintended third-party servers. All Moodle instances using the affected cURL wrapper functionality are vulnerable.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Authentication credentials (including potentially sensitive tokens or passwords) are transmitted to malicious redirect destinations, leading to account compromise and unauthorized access to Moodle systems.
Likely Case
Accidental credential leakage to legitimate but unintended third-party services during normal redirect operations, potentially violating security policies and exposing sensitive information.
If Mitigated
With proper network segmentation and monitoring, credential exposure would be limited to trusted domains, reducing the impact to potential policy violations rather than actual credential theft.
🎯 Exploit Status
Exploitation requires control over redirect destinations or the ability to intercept redirect traffic. The vulnerability is in the redirect handling logic rather than a direct attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moodle security advisories for specific fixed versions
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=461200
Restart Required: No
Instructions:
1. Check your Moodle version
2. Apply the latest security patches from Moodle
3. Update to a version that includes the fix for CVE-2024-43432
4. Verify the patch is applied by checking version and testing redirect functionality
🔧 Temporary Workarounds
Disable external redirects
allConfigure Moodle to not follow external redirects or limit redirect destinations to trusted domains only
Configure Moodle settings to restrict curl redirects: $CFG->curl_allow_redirects = false; or implement URL whitelisting
🧯 If You Can't Patch
- Implement network monitoring for unexpected outbound connections containing authorization headers
- Use web application firewalls to detect and block suspicious redirect patterns
🔍 How to Verify
Check if Vulnerable:
Check if your Moodle version is affected by comparing against the patched versions in Moodle security advisoriesCheck Version:
Check Moodle version in admin interface or via: php -r "require_once('config.php'); echo $CFG->version;"Verify Fix Applied:
Test redirect functionality with monitoring to ensure authorization headers are not leaked to unintended destinations📡 Detection & Monitoring
Log Indicators:
- Unexpected outbound HTTP requests containing authorization headers
- Redirects to unfamiliar domains in Moodle logs
Network Indicators:
- Outbound HTTP traffic containing Authorization headers to unexpected destinations
- Redirect chains involving third-party domains
SIEM Query:
source="moodle_logs" AND ("redirect" OR "curl") AND ("authorization" OR "auth")