On August 10th, the popular learning platform “Moodle” released an update fixing %%cve:2024-43425%%. RedTeam Pentesting found the vulnerability and published a detailed blog post late last week. The blog post demonstrates in detail how a user with the “trainer” role could execute arbitrary code on the server. A trainer would have to publish a “calculated question”. These questions are generated dynamically by evaluating a formula. Sadly, the formula was evaluated using PHP’s “eval” command. As pointed out by RedTeam Pentesting, “eval” is a very dangerous command to use and should be avoided if at all possible. This applies not only to PHP but to most languages (also see my video about command injection vulnerabilities). As I usually say: “eval is only one letter away from evil”.
Article Link: Scans for Moodle Learning Platform Following Recent Update - SANS Internet Storm Center