Skip to content

Advisory: CRLF Injection Vulnerability in Moodle.

by on December 13, 2011

Hello All,

I was on a web application penetration test, the client was running a course management system called Moodle. I ran through my normal methodology however as this was a piece of open source software I decided to download the source code and review it for bugs.

I hit jackpot and found a vulnerable redirect() function which made a call to the header() function, to do a redirect. However the $url variable passed to the header() function was not being sanitized prior to it’s use. Therefore allowing an attacker to inject artibitary headers and control the way the application functions.

As this was an unreleased bug (0day) I had to come up with a fix for the client, I therefore went down the route of responsible disclosure and disclosed the bug to Moodle security team, who later fixed it rather promptly might I add. During this time I also contacted Mitre to see if I can assign it a CVE. In order for me to do that I had to drop an advisory and so here it is…

Topic: CRLF Injection (HTTP Response Splitting) vulnerability in Moodle.
Severity: Critical
Releases affected: 1.9.14, 2.0.5, 2.1.2, 2.2
Patched Releases: 1.9.15, 2.0.6, 2.1.3
Affected Components: Calendar
Reported and coordinated by: Mike Evans (
Issue Number: MDL-24808
CVE Number:

Moodle 1.9.14 through to 2.2 is vulnerable to a CRLF Injection Attack that affects: /calendar/set.php and other parts
of the Course Management System that utilise the redirect() function. The problem arises from the lack of sanitization on the $url variable
prior to being used in the following snippet of code:

@header(‘Location: ‘.$url);

This allows for an attacker to inject his own CRLF sequence into an HTTP communication, which gives the attacker the ability to control the way the web application
functions. The amount of attacks that can be leverage from the vulnerability are huge, some of them include; cross site scripting, cross-user defacement, hijacking
of web pages and positioning of the clients web cache. Moodle have been contacted and have fixed this issue.


Upgrade to any of the following releases: 1.9.15, 2.0.6, 2.1.3

From → pentura

  1. shizzler permalink

    Dude, if I’m not mistaken the header() function doesn’t allow newline characters.
    This has already been securely fixed a long-long time ago, in a galaxy far far away.

    Any thought? Am I wrong?

  2. Anonymous permalink

    i’ve seen this today and moodle seems to be in the 2.2.2 version, is that version vulnerable.. and from where did you get to /calendar/set.php??


  3. dusty permalink


    Thanks for you’re comments.

    The problem was with the sanitizing of the $url variable in the function redirect(), it was not being sanitized correctly before using in:

    @header(‘Location: ‘.$url);

    Also, if you look at the bug tracker and Moodle advisory you will see when this was reported and when it was fixed. So please have a look at the following URL:

    – Dusty

  4. xtrm0 permalink

    How can this exploit be used in moodle 1.9.5?

  5. dusty permalink

    @xtrm0: You would have to check the code base for Moodle 1.9.5 to see if the vulnerability exists.

    @dangerf: This is not an SQL Injection vulnerability.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: