VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-1425

CVE-2004-1425

Description

Directory traversal in Moodle's file.php allows remote attackers to read arbitrary session files for known session IDs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in Moodle's file.php allows remote attackers to read arbitrary session files for known session IDs.

Vulnerability

Moodle 1.4.2 and earlier contains a directory traversal vulnerability in file.php. The file parameter is not properly sanitized, allowing .. sequences to traverse directories. This enables reading arbitrary session files if the attacker knows the session ID [1].

Exploitation

The attacker must know a valid session ID. By sending a request to file.php with a file parameter containing ../ traversal to access session files (e.g., ../../../tmp/sess_SESSIONID), the attacker can retrieve the session file content [1]. No authentication is required beyond knowledge of the session ID.

Impact

Successful exploitation allows the attacker to read the contents of session files, potentially disclosing sensitive information such as user data, session variables, or other data stored in the session [1]. This may lead to privilege escalation or account takeover.

Mitigation

The vulnerability is fixed in Moodle version 1.4.3 [2]. Users should upgrade to 1.4.3 or later. No workaround is documented in the available references.

References
  1. 'Multiple Vulnerabilities in Moodle' - MARC
  2. 'Re: Multiple Vulnerabilities in Moodle'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • Moodle/Moodle11 versions
    cpe:2.3:a:moodle:moodle:1.1.1:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:moodle:moodle:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.2:*:*:*:*:*:*:*
    • (no CPE)range: <=1.4.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient path traversal filtering in `detect_munged_arguments()` allows a single `..` sequence to escape the intended directory."

Attack vector

An attacker sends a crafted HTTP request to `file.php` with a `file` parameter containing a path traversal sequence, e.g., `?file=/1/../sessions/sess_SESSIONID`. The `detect_munged_arguments()` function permits one `..` traversal, allowing the attacker to escape the intended directory and read session files from the `moodledata/sessions` directory [ref_id=1]. The attacker must know a valid session ID, which can be obtained via a separate cross-site scripting vulnerability in `/mod/forum/view.php` [ref_id=1]. No authentication is required to trigger the traversal.

Affected code

The vulnerability is in `file.php` at line 45, where the pathname is constructed as `$pathname = "$CFG->dataroot$pathinfo"`. The `$pathinfo` variable is checked by `detect_munged_arguments()` but still allows one use of `..` to traverse to the parent directory [ref_id=1].

What the fix does

The advisory states that the Session File Disclosure vulnerability is patched in Moodle version 1.4.3 [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably tightens the `detect_munged_arguments()` function to disallow directory traversal sequences entirely, preventing `..` from escaping the `moodledata` directory.

Preconditions

  • inputAttacker must know a valid session ID (can be obtained via XSS in /mod/forum/view.php)
  • configTarget must be running Moodle <= 1.4.2
  • authNo authentication required

Reproduction

Send a request to `http://localhost/moodle/file.php?file=/1/../sessions/sess_SESSIONID`, where `1` is an existing course ID and `SESSIONID` is a known session identifier [ref_id=1]. The server will return the contents of the session file.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.