Share
## https://sploitus.com/exploit?id=78361921-E1FF-5878-ADB0-633C41315170
# CVE-2026-7275-moodle
PoC & dokumentasi untuk **CVE-2026-7275**: Moodle Google Drive Repository (`repository_googledocs`) โ **Path Traversal / Arbitrary File Write** yang dapat mengarah ke **RCE** pada versi Moodle yang belum dipatch.
> **Disclaimer:** Hanya untuk riset keamanan authorized, audit, dan edukasi defensif. Jangan gunakan pada sistem tanpa izin tertulis.
## Metadata
| Field | Value |
|-------|-------|
| **CVE** | [CVE-2026-7275](https://nvd.nist.gov/vuln/detail/CVE-2026-7275) |
| **Advisory** | [MSA-26-0006](https://moodle.org/security/) |
| **Tracker** | MDL-88423 |
| **Komponen** | `repository_googledocs` |
| **CWE** | CWE-22 (Path Traversal) |
| **Severity** | Critical (CVSS ~9.1) |
| **Affected** | Moodle 5.1.0โ5.1.3, 5.0.0โ5.0.6, 4.5.0โ4.5.10 |
| **Fixed in** | 5.1.4, 5.0.7, 4.5.11 |
## Ringkasan
Plugin Google Drive di Moodle mengunduh file dari Google API menggunakan metadata **nama file** (`$originalfile->name`). Sebelum patch, nama ini diteruskan ke `prepare_file()` **tanpa sanitasi**, sehingga payload seperti `../../../../public/shell.php` bisa menulis file di luar direktori temp โ potensi RCE jika webroot mengeksekusi PHP.
**Tidak perlu tahu path absolut** โ cukup traversal relatif (`../` berulang) dari folder temp random.
## Struktur repo
```
โโโ README.md โ ringkasan (file ini)
โโโ CONTRIBUTORS.md โ 0xNuts + Composer
โโโ EXPLOIT.md โ attack chain, payload, prerequisites
โโโ PATCH.md โ analisis patch & mitigasi
โโโ poc/
โโโ demo_path_traversal.py โ demo lokal pre-patch vs post-patch
```
## Quick start (PoC lokal)
```bash
python poc/demo_path_traversal.py
```
Output menunjukkan path **ESCAPE** (pre-patch) vs **contained** (post-patch).
## Prerequisites exploit (versi vulnerable)
| Syarat | Detail |
|--------|--------|
| Akun Moodle | User terautentikasi |
| Capability | `repository/googledocs:view` |
| OAuth | Google Drive ter-link ke user Moodle |
| Plugin | `repository_googledocs` aktif |
| Versi | **Belum patch** (< 5.1.4 / < 5.0.7 / < 4.5.11) |
## Patch (ringkas)
```php
// public/repository/lib.php โ prepare_file()
return sprintf('%s/%s', make_request_directory(), clean_param($filename, PARAM_FILE));
```
Detail lengkap: [PATCH.md](./PATCH.md)
## Contributors
| | |
|---|---|
| **0xNuts** | [@ExDev994](https://github.com/ExDev994) โ lead researcher, PoC, documentation |
| **Composer** | Cursor AI โ co-researcher, static analysis, exploit & patch write-up |
Detail: [CONTRIBUTORS.md](./CONTRIBUTORS.md)
## Referensi
- [Moodle Security โ MSA-26-0006](https://moodle.org/security/)
- [CVE-2026-7275 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2026-7275)
---
```
/*
* CVE-2026-7275 โ break to understand, patch to defend.
* Contributors: 0xNuts (@ExDev994) + Composer (Cursor AI)
*/
```