Security Issue: Moodle login page logs the user in without a password

[muksyd]

On line: https://github.com/frumbert/wp2moodle-moodle/blob/master/auth.php#L44

The user_login function doesn't validate the password, so if a user tries logging in from the Moodle login page, they can get in with any password, this is a HUGE security issue. All they need to know is the username and boom they are in.

I tried this on your demo site and I was able to login to your moodle site as long as I have the username. Any password goes.

[frumbert]

Pushed a patch that closes this hole, sorry all for the inconvenience!

[muksyd]

Thank you! We wanted to notify you about it. This is a great plugin and we are currently working on a patch that will verify the password on WordPress if a user tries to login from the Moodle page and then return true if validated at the user end. I would love to share the patch with you if you are interested in adding it to your plugin.

[frumbert]

that would be great. i initially didn’t do it because i didn’t want to use the same salts between installations (security, again). I imagine you’ll pass over the hashed password and salt from wordpress and store those somehow (setting them in files is of course the most secure), and then modify the login function to perform the same hash during the database lookup. Let me know how you go (or fork and merge request it on github)

Tim St. Clair http://about.me/timstclair/

On 10 Feb 2015, at 2:32 am, Mukarram Syed notifications@github.com wrote:

Thank you! We wanted to notify you about it. This is a great plugin and we are currently working on a patch that will verify the password on WordPress if a user tries to login from the Moodle page and then return true if validated at the user end. I would love to share the patch with you if you are interested in adding it to your plugin.

— Reply to this email directly or view it on GitHub https://github.com/frumbert/wp2moodle-moodle/issues/12#issuecomment-73528021.