Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalised learning environments.
Moodle is widely used in the University of Porto and one of its main uses envolves carrying out digital exams to evaluate the knowledge of students.
In order to avoid cheating in exams, a tool named MoodleWatcher was developed. According to the authors:
MoodleWatcher consists of a front-end web application that shares code with Moodle in relation to the use of database access. […]
The main purpose of the tool is to provide a simple and efficient monitoring method to be used by teachers in order to assure them of the integrity of the tests and exams carried out using Moodle.
There is a whole paper explaining the MoodleWatcher tool, so I won’t be listing here all the features of the system.
Procrastinate: Delay or postpone action; put off doing something.
During a study-procrastinate session, I remembered a previously taken Moodle exam where one of the vigilant professors announced something like "Do not cheat during the exam, your actions are being monitored".
This made me slightly curious. Was the professor really speaking the truth? Does Moodle have a feature for monitoring students' actions during quizzes? After a bit of research I found the page of MoodleWatcher. And by searching the system for some time I realized that the professor was indeed telling the true, most of the actions were being monitored.
MoodleWatcher generates a report for each quiz, listing all unallowed and possibly dangerous actions made by students.
During my procrastination, I tried exploiting the system with a basic SQL injection attack on the quiz ID, but the system was protected against such attacks. So I started trying random quiz IDs to see exactly what kind of actions were being tracked. While doing this, I noticed that some of the pages were throwing some strange errors from the Moodle platform and the whole error page from Moodle was being displayed. I am sorry, but I did not capture a screenshot for this.
Eventually I gave up on hacking MoodleWatcher and went back to Moodle, ready to restart my studying session. That’s when I noticed something strange: instead of being logged in my normal account, I was logged in as a user named with a single dot (".").
I pressed the "Save changes" button in the Edit Profile page, without changing any settings, and got taken to my profile page:
All of a sudden I was no longer myself nor the dot user, I was the Admin User. And this meant that I had full access to MoodleUP, including the possibility of managing accounts, viewing hidden quizzes, downloading a full backup, changing grades, etc.
So what exactly allowed me to gain administrator access to MoodleUP? And what does MoodleWatcher have to do with it? In fact, there was an interesting security vulnerability in MoodleWatcher that allowed anyone to accidentally perform a session hijacking attack. When something went wrong while displaying the report, the whole Moodle error page was being shown to the user. Unfortunately, I did not capture a screenshot for this, so I fired up Photoshop and tried to recreate it from memory:
Clearly, the dot user was the account used by the system to fetch all information from Moodle. Then, in case of error, the whole error page was being redirected to the user.
Despite not being the safest and most beautiful solution, it did work well as a way of outputting errors, which in the end is what matters. The problem was that the body of the HTTP request was not the only data being redirected to the user. The HTTP headers were being redirected too! And this includes the Set-Cookie header with the session token. That’s the reason why after going back to MoodleUP I was logged in as the dot user.
But why did pressing the "Save" button on the Edit Profile page convert me from the dot user to the Admin User of Moodle? I’m not sure, but I believe they actually are the same account. For some reason, the user name seems to change depending on the active language: "." in Portuguese and "Admin User" in English.
The issue was reported to the developers behind MoodleWatcher and got solved in a couple days. The fix was simple: redirect only the HTTP body instead of sending also the headers.
Eventually, another layer of protection was added by implementing HTTP Basic Authentication to the whole MoodleWatcher platform.