MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames

by Marina Glancy.  

Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.


Severity/Risk:Minor
Versions affected:3.4, 3.3 to 3.3.3 and 3.2 to 3.2.6
Versions fixed:3.4.1, 3.3.4 and 3.2.7
Reported by:Jordan Tomkinson
CVE identifier:CVE-2018-1043
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61143
Tracker issue:MDL-61143 curlsecurityblockedhosts can be bypassed with multiple A record hostnames

Read more https://moodle.org/mod/forum/discuss.php?d=364382&parent=1469491