A Critical Moodle LMS Security Vulnerability — All Versions
EDIT: Start of edit posted on 25 Nov 09…
Moodle releases urgent upgrade notice on Nov 25th, two weeks after this post. To upgrade your Moodle 1.9 or 1.8 branch installs, see the following information.
If you are among the tens of thousands of people using the 1.7 or 1.6 branches (which, as of today, are still being offered for download on moodle.org), it seems support for those branches has been discontinued and there is no fix for your sites. Upgrading is your only option.
End of edit on 25 Nov 09
The embeded video below is a short, to the point, demonstration of a very serious Moodle security/privacy vulnerability that impacts all versions of Moodle. This video is intended to simply demonstrate the exploit. For further detail on the potential extent of this exploit, read the post below this video and see the extended video linked at the bottom of this post. In my informed opinion, aside from the obvious Moodle site security and potential user identity theft issues, this exploit has significant implications on FERPA compliance for all US public education institutions using the Moodle LMS.
If you are a Moodle user at any level, but particularly if you are using Moodle in an educational institution in the US, after watching this video, you may want to have discussions with your network security, FERPA, and/or legal experts on your campus to determine how this may impact your institution and what action you may need to take.
If you are a Moodle administrator, teacher, student, or even if you have ever simply created an account on a Moodle Learning Management System (LMS) site, you need to read this post and watch the videos. It’s no secret that Moodle has suffered from some pretty serious security and user privacy issues over the past few years, but nothing before, that I am aware of comes close to the severity of the Moodle security/privacy vulnerability I discovered a few days ago. In the videos below I will demonstrate the problem and show you how you can verify the problem on your own Moodle site using nothing more than a normal teacher account. I’ll also show you how to patch the vulnerability and will discuss some important implications that you may need to consider after patching your site.
I stumbled across this problem after seeing the following exchange in the developer’s forum on moodle.org.
I spent 10 years in the 1980’s as a teletype/crypto maintenance technician and although I haven’t kept up with the field, that reply by a core Moodle developer caught my attention. Particularly the last two sentence that read:
“Something that has been encrypted can be decrypted. Something that has been hashed cannot be.”
I think most people know the first sentence is correct, but the last sentence is completely off the mark. The user passwords in Moodle are unsalted, MD5 hashes. MD5 has been proven to be breakable for years now–salted or not. A quick Google search on MD5 gives anyone all the information they need to know about the history of MD5 and its vulnerabilities. If you want to read up on it, you can start here (http://en.wikipedia.org/wiki/MD5) to get a good overview of the history and vulnerabilities and then follow dozens of other links for Brute Force MD5 cracking sites, like this one (http://gdataonline.com/seekhash.php) as well as more sophisticated methods for cracking MD5 hashes using Rainbow Tables and pre-computation methods…the later, I admit, I don’t fully understand.
So, bottom line…knowing that MD5 is no longer considered secure (and hasn’t been for a long time); and knowing that Moodle user passwords are stored in the Moodle database as simple, unsalted MD5 hashes; then seeing the post above from one of the Moodle core developers and “security experts”…I got curious. The videos below show what I found…you need to watch them.