CRLF Injection Vulnerability in Moodle | InteliSecure



I was on a web application penetration test, the client was running a course management system called Moodle. I ran through my normal methodology however as this was a piece of open source software I decided to download the source code and review it for bugs.

I hit jackpot and found a vulnerable redirect() function which made a call to the header() function, to do a redirect. However the $url variable passed to the header() function was not being sanitized prior to it’s use. Therefore allowing an attacker to inject artibitary headers and control the way the application functions.

As this was an unreleased bug (0day) I had to come up with a fix for the client, I therefore went down the route of responsible disclosure and disclosed the bug to Moodle security team, who later fixed it rather promptly might I add. During this time I also contacted Mitre to see if I can assign it a CVE. In order for me to do that I had to drop an advisory and so here it is…

Topic: CRLF Injection (HTTP Response Splitting) vulnerability in Moodle.
Severity: Critical
Releases affected: 1.9.14, 2.0.5, 2.1.2, 2.2
Patched Releases: 1.9.15, 2.0.6, 2.1.3
Affected Components: Calendar
Reported and coordinated by: Mike Evans (
Issue Number: MDL-24808
CVE Number:

Moodle 1.9.14 through to 2.2 is vulnerable to a CRLF Injection Attack that affects: /calendar/set.php and other parts
of the Course Management System that utilise the redirect() function. The problem arises from the lack of sanitization on the $url variable
prior to being used in the following snippet of code:

@header(‘Location: ‘.$url);

This allows for an attacker to inject his own CRLF sequence into an HTTP communication, which gives the attacker the ability to control the way the web application
functions. The amount of attacks that can be leverage from the vulnerability are huge, some of them include; cross site scripting, cross-user defacement, hijacking
of web pages and positioning of the clients web cache. Moodle have been contacted and have fixed this issue.


Upgrade to any of the following releases: 1.9.15, 2.0.6, 2.1.3