Thousands of businesses that use the Moodle learning management system (LMS) could be at risk of a malicious data breach, it has been reported.
In March, the platform, which allows businesses and organisations to set up websites and online courses, released updates. Along with this, Moodle developers noted that a number of security-related issues were resolved, but did not state any further details, raising questions about the nature and impact of these security issues.
In total, the eLearning platform has over 78,000 websites spanning 234 countries with 100 million users. This means that those using Moodle should act quickly to resolve any issues that could potentially allow attackers to take over web servers.
The extent and severity of these security flaws were revealed later in the month following a blog post from security researcher Netanel Rubin, who found that the flaws allowed attackers to create hidden administrative accounts and execute malicious PHP code on the underlying server.
The data breach takes advantage of incorrect assumptions by the Moodle developers, this included a “logic flaw, an object injection, a double SQL injection, and an overly permissive administrative dashboard”, described Mr Rubin.
He believed that this issue derives from the reimplementation of a specific function without considering decisions made by the original function’s developers.
Mr Rubin said that this is a result of "having too much code, too many developers and lacking documentation".
"Keep in mind that logical vulnerabilities can and will occur in almost all systems featuring a large code base. Security issues in large code bases is, of course, not Moodle specific."
Attackers gaining access to the Moodle platform is dangerous not only because they could install a PHP backdoor by uploading vicious plug-ins or templates, but also because Moodle installations store sensitive and private information about businesses and eLearners taking online courses.