^{CVE-2013-4524:}Directory traversal vulnerability in Moodle's repository/filesystem/lib.php allowing remote authenticated users to read arbitrary files via a .. path; affects Moodle up to 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 (CVE-2013-4524).

A path traversal flaw in Moodle's repository/filesystem/lib.php permits remote authenticated users to read arbitrary files on the server by supplying a path that contains .. (dot dot). The issue affects multiple release lines: 2.2.11 and earlier; 2.3.x prior to 2.3.10; 2.4.x prior to 2.4.7; and 2.5.x prior to 2.5.3. Exploitation could disclose sensitive files accessible to the Moodle application, potentially exposing configuration details, source files, or other data. The vulnerability stems from insufficient input validation and path canonicalization in the repository filesystem component. Patches were released for the affected branches (2.3.10, 2.4.7, 2.5.3) and later upgrades to newer Moodle releases are advised to mitigate risk.

Overview

This CVE describes a directory traversal vulnerability in Moodle's repository/filesystem/lib.php that could allow remote authenticated users to read arbitrary files by crafting a path that includes .. (dot dot). The flaw affects multiple Moodle branches (up to 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3). If exploited, it could lead to exposure of sensitive files outside the intended directory, depending on the server's file permissions. The issue was publicly disclosed in 2013 and has since been addressed in patched releases.

Remediation

• Upgrade Moodle to a patched release or a newer supported version (at minimum: 2.3.10, 2.4.7, 2.5.3, or newer). Prefer upgrading to the latest stable release to obtain all security fixes.
• If upgrading is not immediately possible, apply a vendor patch to repository/filesystem/lib.php that:
  • Normalizes and validates all file-path inputs.
  • Denies or neutralizes any path components that traverse upward (..).
  • Ensures the resolved path remains within an allowed base directory (e.g., using strict realpath checks and prefix validation).
  • Enforces proper access controls so only intended operations are permitted.
• Harden server-side protections:
  • Limit filesystem access permissions for the Moodle process.
  • Consider implementing input validation or a Web Application Firewall rule to block suspicious path traversal patterns.
• Verify remediation:
  • Test for path traversal attempts in the Moodle file access paths.
  • Ensure that reading arbitrary files via manipulated paths is no longer possible.
• Communication and monitoring:
  • Review release notes for patched versions and apply any related configuration changes.
  • Monitor security advisories and community forums for any related indicators of exploitation or additional patches.

References

• MDL-41807 commit reference: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807
• oss-security: Moodle security notifications public: http://openwall.com/lists/oss-security/2013/11/25/1
• Moodle forum discussion: https://moodle.org/mod/forum/discuss.php?d=244481