Miggo Logo

CVE-2018-1043: Moodle Setting for blocked hosts list can be bypassed with multiple A record hostnames

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.43804%
CWE
-
Published
5/13/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.2, < 3.2.73.2.7
moodle/moodlecomposer>= 3.3, < 3.3.43.3.4
moodle/moodlecomposer>= 3.4, < 3.4.13.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete validation of DNS A records in Moodle's cURL security check. The 'curl_security_check_host' function (in lib/curl.php) was responsible for validating hosts against the blocked list but only checked the first resolved IP address. Attackers could bypass restrictions by using hostnames that resolve to both allowed and blocked IPs. This aligns with the CVE description of bypassing via multiple A records and matches Moodle's security advisory referencing fixes in cURL host validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Moo*l* *.x, t** s*ttin* *or *lo*k** *osts list **n ** *yp*ss** wit* multipl* * r**or* *ostn*m*s.

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* v*li**tion o* *NS * r**or*s in Moo*l*'s *URL s**urity ****k. T** '*url_s**urity_****k_*ost' *un*tion (in li*/*url.p*p) w*s r*sponsi*l* *or v*li**tin* *osts ***inst t** *lo*k** list *ut only ****k** t** *irst r*