Moderate severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026
CVE-2015-0218
CVE-2015-0218
Description
Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.6.7 | 2.6.7 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.4 | 2.7.4 |
moodle/moodlePackagist | >= 2.8.0, < 2.8.2 | 2.8.2 |
Affected products
22cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
Patches
4693918c30e6bMDL-47964 auth_shibboleth: Fix DOS on the shibboleth logout
1 file changed · +18 −24
auth/shibboleth/logout.php+18 −24 modified@@ -8,45 +8,41 @@ require_once($CFG->dirroot."/auth/shibboleth/auth.php"); +$action = optional_param('action', '', PARAM_ALPHA); +$redirect = optional_param('return', '', PARAM_URL); // Find out whether host supports https $protocol = 'http://'; if (is_https()) { $protocol = 'https://'; } -// Front channel logout -if ( - isset($_GET['return']) - && isset($_GET['action']) - && $_GET['action'] == 'logout' - ){ - - // Logout out user from application - // E.g. destroy application session/cookie etc - require_logout(); - - // Finally, send user to the return URL - redirect($_GET['return']); +// If the shibboleth plugin is not enable, throw an exception. +if (!is_enabled_auth('shibboleth')) { + throw new moodle_exception(get_string('pluginnotenabled', 'auth', 'shibboleth')); } -// Back channel logout -elseif (!empty($HTTP_RAW_POST_DATA)) { +// Front channel logout. +if ($action == 'logout' && !empty($redirect)) { - // Requires PHP 5 + if ($USER->auth == 'shibboleth') { + // Logout out user from application. + require_logout(); + // Finally, send user to the return URL. + redirect($redirect); + } +} else if (!empty($HTTP_RAW_POST_DATA)) { - // Set SOAP header + // Back channel logout. + // Set SOAP header. $server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl'); - - $server->addFunction("LogoutNotification"); $server->handle(); -} -// Return WSDL -else { +} else { + // Return WSDL. header('Content-Type: text/xml'); echo <<<WSDL @@ -119,9 +115,7 @@ </definitions> WSDL; exit; - } - /******************************************************************************/ function LogoutNotification($SessionID){
b82b4c562b70MDL-47964 auth_shibboleth: Fix DOS on the shibboleth logout
1 file changed · +18 −24
auth/shibboleth/logout.php+18 −24 modified@@ -8,45 +8,41 @@ require_once($CFG->dirroot."/auth/shibboleth/auth.php"); +$action = optional_param('action', '', PARAM_ALPHA); +$redirect = optional_param('return', '', PARAM_URL); // Find out whether host supports https $protocol = 'http://'; if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'){ $protocol = 'https://'; } -// Front channel logout -if ( - isset($_GET['return']) - && isset($_GET['action']) - && $_GET['action'] == 'logout' - ){ - - // Logout out user from application - // E.g. destroy application session/cookie etc - require_logout(); - - // Finally, send user to the return URL - redirect($_GET['return']); +// If the shibboleth plugin is not enable, throw an exception. +if (!is_enabled_auth('shibboleth')) { + throw new moodle_exception(get_string('pluginnotenabled', 'auth', 'shibboleth')); } -// Back channel logout -elseif (!empty($HTTP_RAW_POST_DATA)) { +// Front channel logout. +if ($action == 'logout' && !empty($redirect)) { - // Requires PHP 5 + if ($USER->auth == 'shibboleth') { + // Logout out user from application. + require_logout(); + // Finally, send user to the return URL. + redirect($redirect); + } +} else if (!empty($HTTP_RAW_POST_DATA)) { - // Set SOAP header + // Back channel logout. + // Set SOAP header. $server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl'); - - $server->addFunction("LogoutNotification"); $server->handle(); -} -// Return WSDL -else { +} else { + // Return WSDL. header('Content-Type: text/xml'); echo <<<WSDL @@ -119,9 +115,7 @@ </definitions> WSDL; exit; - } - /******************************************************************************/ function LogoutNotification($SessionID){
fb60e23a6793MDL-47964 auth_shibboleth: Fix DOS on the shibboleth logout
1 file changed · +18 −24
auth/shibboleth/logout.php+18 −24 modified@@ -8,45 +8,41 @@ require_once($CFG->dirroot."/auth/shibboleth/auth.php"); +$action = optional_param('action', '', PARAM_ALPHA); +$redirect = optional_param('return', '', PARAM_URL); // Find out whether host supports https $protocol = 'http://'; if (is_https()) { $protocol = 'https://'; } -// Front channel logout -if ( - isset($_GET['return']) - && isset($_GET['action']) - && $_GET['action'] == 'logout' - ){ - - // Logout out user from application - // E.g. destroy application session/cookie etc - require_logout(); - - // Finally, send user to the return URL - redirect($_GET['return']); +// If the shibboleth plugin is not enable, throw an exception. +if (!is_enabled_auth('shibboleth')) { + throw new moodle_exception(get_string('pluginnotenabled', 'auth', 'shibboleth')); } -// Back channel logout -elseif (!empty($HTTP_RAW_POST_DATA)) { +// Front channel logout. +if ($action == 'logout' && !empty($redirect)) { - // Requires PHP 5 + if ($USER->auth == 'shibboleth') { + // Logout out user from application. + require_logout(); + // Finally, send user to the return URL. + redirect($redirect); + } +} else if (!empty($HTTP_RAW_POST_DATA)) { - // Set SOAP header + // Back channel logout. + // Set SOAP header. $server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl'); - - $server->addFunction("LogoutNotification"); $server->handle(); -} -// Return WSDL -else { +} else { + // Return WSDL. header('Content-Type: text/xml'); echo <<<WSDL @@ -119,9 +115,7 @@ </definitions> WSDL; exit; - } - /******************************************************************************/ function LogoutNotification($SessionID){
371d58d70d4eMDL-47964 auth_shibboleth: Fix DOS on the shibboleth logout
1 file changed · +18 −24
auth/shibboleth/logout.php+18 −24 modified@@ -8,45 +8,41 @@ require_once($CFG->dirroot."/auth/shibboleth/auth.php"); +$action = optional_param('action', '', PARAM_ALPHA); +$redirect = optional_param('return', '', PARAM_URL); // Find out whether host supports https $protocol = 'http://'; if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'){ $protocol = 'https://'; } -// Front channel logout -if ( - isset($_GET['return']) - && isset($_GET['action']) - && $_GET['action'] == 'logout' - ){ - - // Logout out user from application - // E.g. destroy application session/cookie etc - require_logout(); - - // Finally, send user to the return URL - redirect($_GET['return']); +// If the shibboleth plugin is not enable, throw an exception. +if (!is_enabled_auth('shibboleth')) { + throw new moodle_exception(get_string('pluginnotenabled', 'auth', 'shibboleth')); } -// Back channel logout -elseif (!empty($HTTP_RAW_POST_DATA)) { +// Front channel logout. +if ($action == 'logout' && !empty($redirect)) { - // Requires PHP 5 + if ($USER->auth == 'shibboleth') { + // Logout out user from application. + require_logout(); + // Finally, send user to the return URL. + redirect($redirect); + } +} else if (!empty($HTTP_RAW_POST_DATA)) { - // Set SOAP header + // Back channel logout. + // Set SOAP header. $server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl'); - - $server->addFunction("LogoutNotification"); $server->handle(); -} -// Return WSDL -else { +} else { + // Return WSDL. header('Content-Type: text/xml'); echo <<<WSDL @@ -119,9 +115,7 @@ </definitions> WSDL; exit; - } - /******************************************************************************/ function LogoutNotification($SessionID){
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-5jph-mvfm-r27pghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-0218ghsaADVISORY
- openwall.com/lists/oss-security/2015/01/19/1nvdWEB
- github.com/moodle/moodle/commit/371d58d70d4ef866f35e33ea6898007112bfe654ghsaWEB
- github.com/moodle/moodle/commit/693918c30e6b7c95dddd9c5973f98d98342a59d9ghsaWEB
- github.com/moodle/moodle/commit/b82b4c562b705ea8f11893d9126889bb696b9612ghsaWEB
- github.com/moodle/moodle/commit/fb60e23a67931eeba8fc9aacf3cc838e462f21f2ghsaWEB
News mentions
0No linked articles in our index yet.