CVE-2013-3630
published 2013-11-01CVE-2013-3630: Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a…
PriorityP346medium4.6CVSS 2.0
AVNACHAuSCPIPAP
EXPLOIT
EPSS
42.57%
98.5th percentile
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
Affected
117 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | <= 2.5.2 | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the Moodle spellchecker RPC endpoint at /lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php with Content-Type application/json, which is the trigger point for payload execution. ↗
- →Detect POST requests to /admin/settings.php with POST body containing 'section=systempaths' and 's__aspellpath' set to a non-standard binary path (i.e., not a legitimate aspell binary), indicating command injection into the aspell path setting. ↗
- →Alert on POST requests to /admin/settings.php with 'section=editorsettingstinymce' and 's_editor_tinymce_spellengine=PSpellShell', which is the prerequisite configuration step for exploitation. ↗
- →The exploit chain involves stealing an admin sesskey via a referenced XSS vulnerability (EDB-28174) to escalate from unprivileged authenticated user to admin; monitor for sesskey exfiltration patterns in conjunction with admin settings changes. ↗
- →The JSON payload body sent to the spellchecker RPC endpoint uses method 'checkWords' — detect JSON POST bodies to rpc.php containing this method as the execution trigger. ↗
- ·Exploitation requires authenticated access; the attacker must either have admin credentials or leverage the companion XSS (EDB-28174) to steal an admin sesskey. Detection should account for both direct admin login and sesskey-hijacking scenarios. ↗
- ·The vulnerability was confirmed against Moodle versions 2.5.2 and 2.2.3; the NVD scope is 'through 2.5.2'. A closely related variant using a different variable was later identified affecting Moodle 3.8.0–3.11.2 (see moodle_spelling_path_rce.rb), so detections on the settings path should not be version-gated too narrowly. ↗
- ·The default TARGETURI in the Metasploit module is '/moodle/', but Moodle may be installed at the web root or other paths; detection rules should use relative path matching rather than absolute path matching. ↗
CVSS provenance
nvdv2.04.6MEDIUMAV:N/AC:H/Au:S/C:P/I:P/A:P
osv4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Moodle Authenticated Spelling Binary Remote Code Execution
osv·2022-05-13
CVE-2013-3630 [MEDIUM] Moodle Authenticated Spelling Binary Remote Code Execution
Moodle Authenticated Spelling Binary Remote Code Execution
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
GHSA
Moodle Authenticated Spelling Binary Remote Code Execution
ghsa·2022-05-13
CVE-2013-3630 [MEDIUM] CWE-94 Moodle Authenticated Spelling Binary Remote Code Execution
Moodle Authenticated Spelling Binary Remote Code Execution
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
OSV
CVE-2013-3630: Moodle through 2
osv·2013-11-01·CVSS 4.6
CVE-2013-3630 [MEDIUM] CVE-2013-3630: Moodle through 2
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
No detection rules found.
Exploit-DB
Moodle - Remote Command Execution (Metasploit)
exploitdb·2013-10-31
CVE-2013-3630 Moodle - Remote Command Execution (Metasploit)
Moodle - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit4 'Moodle Remote Command Execution',
'Description' => %q{
Moodle allows an authenticated user to define spellcheck settings via the web interface.
The user can update the spellcheck mechanism to point to a system-installed aspell binary.
By updating the path for the spellchecker to an arbitrary command, an attacker can run
arbitrary commands in the context of the web application upon spellchecking requests.
This module also allows an attacker to leverage another privilege escalation vuln.
Using the referenced XSS vuln, an unprivileged authent
Metasploit
Moodle Authenticated Spelling Binary RCE
metasploit
Moodle Authenticated Spelling Binary RCE
Moodle Authenticated Spelling Binary RCE
Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This module also allows an attacker to leverage another privilege escalation vuln. Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey and use this to escalate privileges to that of an admin, allowing the module to pop a shell as a previously unprivileged authenticated user. This module was tested against Moodle version 2.5.2 and 2.2.3.
Metasploit
Moodle SpellChecker Path Authenticated Remote Command Execution
metasploit·CVSS 4.6
CVE-2013-3630 [MEDIUM] Moodle SpellChecker Path Authenticated Remote Command Execution
Moodle SpellChecker Path Authenticated Remote Command Execution
Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable. This module was tested against Moodle version 3.11.2, 3.10.0, and 3.8.0.
Bugzilla
CVE-2013-3630 moodle: authenticated remote command execution [fedora-all]
bugzilla·2013-11-01·CVSS 4.6
CVE-2013-3630 [MEDIUM] CVE-2013-3630 moodle: authenticated remote command execution [fedora-all]
CVE-2013-3630 moodle: authenticated remote command execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects
Bugzilla
CVE-2013-3630 moodle: authenticated remote command execution
bugzilla·2013-11-01·CVSS 4.6
CVE-2013-3630 [MEDIUM] CVE-2013-3630 moodle: authenticated remote command execution
CVE-2013-3630 moodle: authenticated remote command execution
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-3630 to the following vulnerability:
Name: CVE-2013-3630
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3630 [Open">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3630">Open URL]
Assigned: 20130521
Reference: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one [Open">https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one">Open URL]
Reference: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats [Open">https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats">Open URL]
Moodle through
Bugzilla
CVE-2013-3630 moodle: authenticated remote command execution [epel-all]
bugzilla·2013-11-01·CVSS 4.6
CVE-2013-3630 [MEDIUM] CVE-2013-3630 moodle: authenticated remote command execution [epel-all]
CVE-2013-3630 moodle: authenticated remote command execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affe
http://packetstormsecurity.com/files/164479/Moodle-Authenticated-Spelling-Binary-Remote-Code-Execution.htmlhttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treatshttp://packetstormsecurity.com/files/164479/Moodle-Authenticated-Spelling-Binary-Remote-Code-Execution.htmlhttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
2013-11-01
Published