Share
## https://sploitus.com/exploit?id=78361921-E1FF-5878-ADB0-633C41315170
# CVE-2026-7275-moodle

PoC & dokumentasi untuk **CVE-2026-7275**: Moodle Google Drive Repository (`repository_googledocs`) โ€” **Path Traversal / Arbitrary File Write** yang dapat mengarah ke **RCE** pada versi Moodle yang belum dipatch.

> **Disclaimer:** Hanya untuk riset keamanan authorized, audit, dan edukasi defensif. Jangan gunakan pada sistem tanpa izin tertulis.

## Metadata

| Field | Value |
|-------|-------|
| **CVE** | [CVE-2026-7275](https://nvd.nist.gov/vuln/detail/CVE-2026-7275) |
| **Advisory** | [MSA-26-0006](https://moodle.org/security/) |
| **Tracker** | MDL-88423 |
| **Komponen** | `repository_googledocs` |
| **CWE** | CWE-22 (Path Traversal) |
| **Severity** | Critical (CVSS ~9.1) |
| **Affected** | Moodle 5.1.0โ€“5.1.3, 5.0.0โ€“5.0.6, 4.5.0โ€“4.5.10 |
| **Fixed in** | 5.1.4, 5.0.7, 4.5.11 |

## Ringkasan

Plugin Google Drive di Moodle mengunduh file dari Google API menggunakan metadata **nama file** (`$originalfile->name`). Sebelum patch, nama ini diteruskan ke `prepare_file()` **tanpa sanitasi**, sehingga payload seperti `../../../../public/shell.php` bisa menulis file di luar direktori temp โ†’ potensi RCE jika webroot mengeksekusi PHP.

**Tidak perlu tahu path absolut** โ€” cukup traversal relatif (`../` berulang) dari folder temp random.

## Struktur repo

```
โ”œโ”€โ”€ README.md              โ† ringkasan (file ini)
โ”œโ”€โ”€ CONTRIBUTORS.md        โ† 0xNuts + Composer
โ”œโ”€โ”€ EXPLOIT.md             โ† attack chain, payload, prerequisites
โ”œโ”€โ”€ PATCH.md               โ† analisis patch & mitigasi
โ””โ”€โ”€ poc/
    โ””โ”€โ”€ demo_path_traversal.py   โ† demo lokal pre-patch vs post-patch
```

## Quick start (PoC lokal)

```bash
python poc/demo_path_traversal.py
```

Output menunjukkan path **ESCAPE** (pre-patch) vs **contained** (post-patch).

## Prerequisites exploit (versi vulnerable)

| Syarat | Detail |
|--------|--------|
| Akun Moodle | User terautentikasi |
| Capability | `repository/googledocs:view` |
| OAuth | Google Drive ter-link ke user Moodle |
| Plugin | `repository_googledocs` aktif |
| Versi | **Belum patch** (< 5.1.4 / < 5.0.7 / < 4.5.11) |

## Patch (ringkas)

```php
// public/repository/lib.php โ€” prepare_file()
return sprintf('%s/%s', make_request_directory(), clean_param($filename, PARAM_FILE));
```

Detail lengkap: [PATCH.md](./PATCH.md)

## Contributors

| | |
|---|---|
| **0xNuts** | [@ExDev994](https://github.com/ExDev994) โ€” lead researcher, PoC, documentation |
| **Composer** | Cursor AI โ€” co-researcher, static analysis, exploit & patch write-up |

Detail: [CONTRIBUTORS.md](./CONTRIBUTORS.md)

## Referensi

- [Moodle Security โ€” MSA-26-0006](https://moodle.org/security/)
- [CVE-2026-7275 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2026-7275)

---

```
/*
 * CVE-2026-7275 โ€” break to understand, patch to defend.
 * Contributors: 0xNuts (@ExDev994) + Composer (Cursor AI)
 */
```