While auditing the wider Moodle ecosystem for vulnerabilities, a path traversal issue was discovered in the popular MathType library. According to the Moodle plugins directory, there are approximately 5745 sites running the affected library.

The MathType library integrates with the following Learning Management Systems (LMS) and HTML editors:

Our research primarily focused on the Moodle and PHP libraries, however it appears that the resource handler has been cross-compiled between multiple languages, and some variation of the handler was present in all the examined code bases, including that present in Blackboard (see below for PoC).

A resource handler was discovered within these libraries that takes parameters from the querystring and uses these to fetch files and resources that are meant to be displayed to the user.

It was found that no sanitisation occurred on parameters fetched from the URL, with four lines in the codebase being of particular concern:

$resource = $provider->getRequiredParameter('resourcefile');

$resourceLoader = $pluginBuilder->newResourceLoader();
header('Content-Type:' . $resourceLoader->getContentType($resource));
echo $resourceLoader->getcontent($resource);

As seen in the code snippet above, there is a lack of sanitisation occurring on the resource parameter. The getContentType function simply parses the extension and decides on how the content type will be rendered, with the base case being application/octet-stream.

As a result of this, when variables are parsed into the getContent method, potential attackers have the ability to fetch arbitrary files such as source code and environment variables simply by supplying the query parameter with the correct file path. Depending on the server configuration, attackers may be able to pivot further into the environment.

How It Can Be Exploited

A simple PoC for a path traversal vulnerability within vulnerable Moodle instances (using Wiris MathType library v7.28.0 and lower) can be constructed:


If the PoC was successful, then the user would be able have successfully downloaded the contents of the config.php file.

It was also discovered that Blackboard was also partially vulnerable to this issue, however for the most part, the Tomcat path normalisation function would prevent the resource handler from fetching files from outside the plugin root. In some configurations on older Tomcat servers, it may be possible to traverse further.

Blackboard payloads:


Potential Impact

In the case of the Moodle exploit it is trivial to return the environment variables stored in the config.php file which may allow an attacker to retrieve the cleartext database credentials and other implementation secrets. Depending on the application, source code may also be possible to retrieve.

How to Fix It

Wiris has now completely deleted the resource handler code as seen in a pull request made on the 18th of May. To ensure that your applications are not affected by it, verify that the version of Wiris MathType library used is v7.28.1 and above.

Vulnerability Disclosure Timeline:

  • 22/04/2022 Issue reported to Wiris.
  • 18/05/2022 Resource Handler was deleted by Wiris.
  • 16/06/2022 CVE-2022-31372 assigned.

Latest event

BSides San Francisco


CityView at SF Metreon

BSides San Francisco is a non-profit organization designed to advance the body of Information Security knowledge by providing an annual, two-day, open forum for discussion and debate for security engineers and their affiliates. Presenters at BSides SF conferences are engaging the participants and getting the discussions started on the “Next Big Thing”, not preaching at you from the podium about last month’s news.

See all events
Contact us

Take the next step and talk to us today.