A critical vulnerability in Moodle , an open source PHP-based learning management system deployed across scores of schools and universities , could expose the server its running on to compromise . Tens of thousands of universities worldwide , including the California State University system , the University of Oxford , and Stanford University , use the service to provide students with course outlines , grades , and other personal data . The issue–at its root a SQL injection vulnerability–could be used by an attacker to execute PHP code on a university ’ s server according to Netanel Rubin , the researcher who found Vulnerability-related.DiscoverVulnerability the bug . Rubin , who has previously dug up Vulnerability-related.DiscoverVulnerability vulnerabilities in Mozilla ’ s Bugzilla bug tracking system , e-commerce platform Magento , and WordPress , described Vulnerability-related.DiscoverVulnerability the bug in depth in a blog post on Monday . “ Similar scenarios could be used in previous versions of Moodle but only by managers/admins and only via web services , ” the advisory reads . School IT administrators are being encouraged to apply a patch that maintainers of the system pushed 10 days ago . Rubin discovered that he could exploit the feature however and get an unserialize call by leaving a preference in a block mechanism empty . That could open the door to an object injection attack . While the attack had its limitations , Rubin discovered a way to pivot from it to a series of method calls . From there , he found he could use the system ’ s “ update ” method to update any row in an affected database . This gave him the ability to tweak administrator accounts , passwords , the site configuration , “ basically whatever we want , ” he wrote . Rubin used a double SQL injection to top off his exploit , helping him gain full administrator privileges on any server running Moodle . “ After gaining full administrator privileges executing code is as simple as uploading a new plugin or template to the server , ” Rubin writes .

A series of remotely exploitable vulnerabilities exist in Vulnerability-related.DiscoverVulnerability a popular web-based SCADA system made by Honeywell that make it easy to expose passwords and in turn , give attackers a foothold into the vulnerable network . The flaws exist in Vulnerability-related.DiscoverVulnerability some versions of Honeywell ’ s XL Web II controllers , systems deployed across the critical infrastructure sector , including wastewater , energy , and manufacturing companies . An advisory from the Department of Homeland Security ’ s Industrial Control Systems Cyber Emergency Response Team ( ICS-CERT ) warned about Vulnerability-related.DiscoverVulnerability the vulnerabilities Thursday . The company has developed a fix , version 3.04.05.05 , to address Vulnerability-related.PatchVulnerability the issues but users have to call their local Honeywell Building Solutions branch to receive Vulnerability-related.PatchVulnerability the update , according to the company . The controllers suffer from five vulnerabilities in total but the scariest one might be the fact that passwords for the controllers are stored in clear text . Furthermore , if attackers wanted to , they could disclose Attack.Databreach that password simply by accessing a particular URL . An attacker could also carry out a path traversal attack by accessing a specific URL , open and change some parameters by accessing a particular URL , or establish a new user session . The problem with starting a new user session is that the controllers didn ’ t invalidate any existing session identifier , something that could have made it easier for an attacker to steal any active authenticated sessions . Maxim Rupp , an independent security researcher based in Germany , dug up Vulnerability-related.DiscoverVulnerability the bugs and teased them on Twitter at the beginning of January . Rupp has identified Vulnerability-related.DiscoverVulnerability bugs in Honeywell equipment before . Two years ago he discovered Vulnerability-related.DiscoverVulnerability a pair of vulnerabilities in Tuxedo Touch , a home automation controller made by the company , that could have let an attacker unlock a house ’ s doors or modify its climate controls . It ’ s unclear how widespread the usage of Honeywell ’ s XL Web II controllers is . While Honeywell is a US-based company , according to ICS-CERT ’ s advisory the majority of the affected products are used in Europe and the Middle East . When reached on Friday , a spokesperson for Honeywell confirmed that the affected controllers are used in Europe and the Middle East . The company also stressed that the vulnerabilities were patched Vulnerability-related.PatchVulnerability in September 2016 after they were reported Vulnerability-related.DiscoverVulnerability in August .