Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Pre-Auth RCE in Moodle Part II - Session Hijack in Moodle's Shibboleth
Robin Peraglie & Johannes MoritzPosted 4 Years Ago- Moodle is an open source eLearning platform built in PHP. Moodle has an authentication plugin for the Shibboleth protocol; this is another SSO solution.
- For every logout request on Shibboleth, the function
logout_db_session()is invoked. The function iterates over all available sessions then decodes it with thesession_decodefunction. This will decode the serialized session data AND put it into the super global$_SESSION. This second side affect is a big deal. - While iterating over all sessions with the
session_decodefunction, the logging out user logged in as every user for a very small time window. Additionally, the LAST user is never unloaded, meaning that the session remains populated with the last user. An attacker can do this, clear the session and try again until the last user is an administrator. - The solution to this vulnerability is to decode the session by hand instead of using the PHP built-in function. To me, this is a bug by the developer but more blame goes to PHP. There should be a way to decode a session without becoming that user. In the future, I'll have to check for calls to
session_decodeto see if a similar issue exists. Good find!
