http://moodle.org/mod/forum/view.php?f=996 <div style="text-align:left;"> <span class="nolink"> <h2>Moodle Security Procedures</h2> <p>We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.</p> <p>We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites some time to upgrade or patch their installations.</p> <p>We welcome reports of security issues and will work with reporters to fix problems and publicise patches to Moodle users as quickly as possible.</p> <br /> <h3>How can I report a security issue?</h3> <p>Please &quot;Create a new issue&quot; in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the <strong>Security Level</strong> accurately to make sure that the security team sees it. Bugs classified as a &quot;Serious security issue&quot; will be hidden from the general public until the security team (led by Petr Skoda) is able to resolve it and publish fixes to registered Moodle sites (see below).</p> <br /> <h3>How can I keep my site secure?</h3> <ol> <li>The usual way is to update your whole Moodle to the latest stable release of the version you are using. It is very safe to go from 1.8.1 to 1.8.2+, for example, at any time. CVS is a very easy way to do this.<br /><br /></li> <li>Many of the notices will include patch information. If you are fairly confident with editing scripts, then it may be easier for you to just patch the affected file.</li> </ol> <br /> <h3>How can I keep track of recent security issues?</h3> <ol> <li>Register your Moodle sites with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume securityalerts mailing list.</li> <li>Eventually, all important security issues are published to the general public via the forum on this page. You can subscribe to the RSS feed on this page to automatically add new issues in your favourite feed reader or portal. (Please note that security alerts prior to 2008 were made on a different site and do not appear here.)</li> </ol> <br /> <h3>See also</h3> <ul> <li>Security documentation</li> <li>Security FAQ</li> </ul> </span> </div> Moodle &#169; 2009 Moodle.org http://moodle.org/pix/i/rsssitelogo.gif http://moodle.org 140 35 MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability http://moodle.org/mod/forum/discuss.php?d=136886&parent=597608 Mon, 02 Nov 2009 20:09:00 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability </td> </tr> <tr> <td>Severity/Risk: </td> <td>Critical (only servers using Oracle and MS SQL databases) </td> </tr> <tr> <td>Versions affected: </td> <td> &lt;1.9.6 </td> </tr> <tr> <td>Reported by: </td> <td>Sam Moffatt </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-19452">MDL-19452</a> </td> </tr> <tr> <td>Solution: </td> <td> upgrade to latest weekly build or 1.9.6 </td> </tr> <tr> <td>Workaround: </td> <td>none </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />Sam Moffatt discovered a potential problem in the way ADODB library is quoting special characters when the database engine is using Sybase style quoting.</p> </p> http://moodle.org/mod/forum/discuss.php?d=136886&parent=597608 MSA-09-0020: Teachers can view students' grades in all courses in the overview report http://moodle.org/mod/forum/discuss.php?d=136884&parent=597604 Mon, 02 Nov 2009 19:52:58 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>Teachers can view students' grades in all courses in the overview report </td> </tr> <tr> <td>Severity/Risk: </td> <td>Minor </td> </tr> <tr> <td>Versions affected: </td> <td> &lt;1.9.6 </td> </tr> <tr> <td>Reported by: </td> <td>Ratana Lim </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-20355">MDL-20355</a> </td> </tr> <tr> <td>Solution: </td> <td> upgrade to latest weekly build or 1.9.6 </td> </tr> <tr> <td>Workaround: </td> <td>remove the overview report link - see http://docs.moodle.org/en/Simplifying_the_gradebook </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />Teachers could view students' grades in all courses, including courses for which they do not have teacher rights, in the overview report.</p> </p> http://moodle.org/mod/forum/discuss.php?d=136884&parent=597604 MSA-09-0019: SQL injection in update_record http://moodle.org/mod/forum/discuss.php?d=136882&parent=597602 Mon, 02 Nov 2009 19:49:21 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>SQL injection in update_record </td> </tr> <tr> <td>Severity/Risk: </td> <td>Critical </td> </tr> <tr> <td>Versions affected: </td> <td> &lt;1.9.6, &lt;1.8.10, 1.7.x </td> </tr> <tr> <td>Reported by: </td> <td>Georg-Christian Pranschke </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-20309">MDL-20309</a> </td> </tr> <tr> <td>Solution: </td> <td> upgrade to latest weekly builds, 1.9.6 or 1.8.10 </td> </tr> <tr> <td>Workaround: </td> <td>apply patches:<br /> <ul> <li><font size="2">http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.116.2.32&amp;r2=1.116.2.33 <br /></font></li> <li><font size="2">http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.91.2.23&amp;r2=1.91.2.24 </font></li> </ul> </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />Georg-Christian Pranschke discovered a serious problem in update_record function. This problem may allow any registered user to exploit several different scripts.</p> </p> http://moodle.org/mod/forum/discuss.php?d=136882&parent=597602 MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type http://moodle.org/mod/forum/discuss.php?d=136881&parent=597599 Mon, 02 Nov 2009 19:46:04 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>Incorrect escaping when updating first post in a single simple discussion forum type </td> </tr> <tr> <td>Severity/Risk: </td> <td>Minor </td> </tr> <tr> <td>Versions affected: </td> <td> &lt;1.9.6, &lt;1.8.10 </td> </tr> <tr> <td>Reported by: </td> <td>Nicola Vitacolonna </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-20555">MDL-20555</a> </td> </tr> <tr> <td>Solution: </td> <td> upgrade to latest weekly build or 1.9.6 </td> </tr> <tr> <td>Workaround: </td> <td>none </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />Nicola Vitacolonna discovered forum introduction is incorrectly escaped when editing the first post of a single simple discussion forum. This can potentially lead to SQL injection attacks by teachers. Students can not exploit this problem.</p> </p> http://moodle.org/mod/forum/discuss.php?d=136881&parent=597599 MSA-09-0017: Upgrade code in 1.9 does not escape tags properly http://moodle.org/mod/forum/discuss.php?d=136880&parent=597597 Mon, 02 Nov 2009 19:43:46 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>Upgrade code 1.9 does not escape tags properly </td> </tr> <tr> <td>Severity/Risk: </td> <td>Minor </td> </tr> <tr> <td>Versions affected: </td> <td> &lt;1.9.6 </td> </tr> <tr> <td>Reported by: </td> <td>Matt Oquist </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-19709">MDL-19709</a> </td> </tr> <tr> <td>Solution: </td> <td> do not use 1.9.0-1.9.5 when upgrading from any previous version </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />The upgrade code does not properly escape tags properly when upgrading from any version before 1.9.0.</p> </p> http://moodle.org/mod/forum/discuss.php?d=136880&parent=597597 MSA-09-0016: Email not properly escaped on user edit page http://moodle.org/mod/forum/discuss.php?d=136879&parent=597596 Mon, 02 Nov 2009 19:41:06 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>Email not properly escaped on user edit page </td> </tr> <tr> <td>Severity/Risk: </td> <td>Minor </td> </tr> <tr> <td>Versions affected: </td> <td> &lt;1.9.6 </td> </tr> <tr> <td>Reported by: </td> <td>Alan Trick </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-20295">MDL-20295</a> </td> </tr> <tr> <td>Solution: </td> <td> upgrade to latest weekly build or 1.9.6 </td> </tr> <tr> <td>Workaround: </td> <td>disable email change confirmation (not recommended) </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />Alan Trick discovered that the email change confirmation code does not escape the email addresses properly. This problem is marked as minor because the email address is validated and can not contain an arbitrary text.</p> </p> http://moodle.org/mod/forum/discuss.php?d=136879&parent=597596 MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6 http://moodle.org/mod/forum/discuss.php?d=135222&parent=590822 Wed, 14 Oct 2009 18:12:59 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p><p><table><tbody><tr><td>Topic:<br /> </td><td>Customised PhpMyAdmin upgraded to 2.11.9.6<br /> </td></tr><tr><td>Severity:<br /> </td><td>Major<br /> </td></tr><tr><td>Versions affected:<br /> </td><td> all<br /> </td></tr><tr><td>Reported by:<br /> </td><td>upstream - PMASA-2009-6; CVE-2009-3696 and CVE-2009-3697<br /> </td></tr><tr><td>Issue no.:<br /> </td><td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-20553">MDL-20553</a><br /> </td></tr><tr><td>Solution:<br /> </td><td> Install latest package from <a href="http://moodle.org/mod/data/view.php?d=13&rid=448">http://moodle.org/mod/data/view.php?d=13&amp;rid=448</a> or cvs<br /> </td></tr><tr><td>Workaround:<br /> </td><td>delete admin/mysql/*<br /> </td></tr></tbody></table><p><strong><br /></strong></p><p><strong>Description:</strong><br /><a href="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-6">http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-6<br /></a></p></p></p> http://moodle.org/mod/forum/discuss.php?d=135222&parent=590822 MSA-09-0014: mimeTeX vulnerabilities http://moodle.org/mod/forum/discuss.php?d=128474&parent=562732 Sun, 19 Jul 2009 18:04:10 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p><table><tbody> <tr> <td>Topic: </td> <td>mimeTeX vulnerabilities </td> </tr> <tr> <td>Severity/Risk: </td> <td>Major </td> </tr> <tr> <td>Versions affected: </td> <td> all </td> </tr> <tr> <td>Reported by: </td> <td>upstream - http://www.ocert.org/advisories/ocert-2009-010.html </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-19832">MDL-19832</a>, CVE-2009-1382 </td> </tr> <tr> <td>Solution: </td> <td> upgrade to latest weekly built, stable CVS, nightly build or copy new mimetex.* executables into any older release </td> </tr> <tr> <td>Workaround: </td> <td>disable tex and algebra filters </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />John Forkosh fixed several serious vulnerabilities in mimeTeX binary which is used in Moodle by TeX and Algebra filter. This was rated as "critical" upstream, however the risk is slightly less on Moodle because this filter can be disabled (and is disabled by default). In addition, the vulnerability is only exposed to valid users who have logged in to Moodle.</p> </p> http://moodle.org/mod/forum/discuss.php?d=128474&parent=562732 MSA-09-0013: Customised PhpMyAdmin upgraded to 2.11.9.5 http://moodle.org/mod/forum/discuss.php?d=123860&parent=542780 Wed, 20 May 2009 11:05:17 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>Customised PhpMyAdmin upgraded to 2.11.9.5 </td> </tr> <tr> <td>Severity: </td> <td>Major </td> </tr> <tr> <td>Versions affected: </td> <td> all </td> </tr> <tr> <td>Reported by: </td> <td>upstream - PMASA-2009-1, PMASA-2009-2, PMASA-2009-3, PMASA-2009-4 </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-19234">MDL-19234</a> </td> </tr> <tr> <td>Solution: </td> <td> Install latest package from <a href="http://moodle.org/mod/data/view.php?d=13&rid=448">http://moodle.org/mod/data/view.php?d=13&amp;rid=448</a> or cvs </td> </tr> <tr> <td>Workaround: </td> <td>delete admin/mysql/* </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br /><a href="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-1">http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-1<br /></a> <a href="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-2">http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-2<br /></a> <a href="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-3">http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-3<br /></a> <a href="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-4">http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-4</a><br /><br /></p> <p>Please note that some of these vulnerabilities may not be exploitable due to our specific integration changes.</p></p> http://moodle.org/mod/forum/discuss.php?d=123860&parent=542780 MSA-09-0012: SQL injections when importing outcomes http://moodle.org/mod/forum/discuss.php?d=123858&parent=542778 Wed, 20 May 2009 11:00:40 GMT Petr Škoda (skodak) by Petr Škoda (skodak). &nbsp;<p> <table><tbody> <tr> <td>Topic: </td> <td>SQL injections when importing outcomes </td> </tr> <tr> <td>Severity: </td> <td>Major </td> </tr> <tr> <td>Versions affected: </td> <td> &lt; 1.9.5 </td> </tr> <tr> <td>Reported by: </td> <td>internal review </td> </tr> <tr> <td>Issue no.: </td> <td> <a title="Auto-link to Moodle Tracker" href="http://tracker.moodle.org/browse/MDL-19036">MDL-19036</a> </td> </tr> <tr> <td>Solution: </td> <td> upgrade to 1.9.5 </td> </tr> </tbody> </table> <p><strong><br /></strong></p> <p><strong>Description:</strong><br />When reviewing the import outcomes code, it was discovered that incorrect coding allowed SQL injections. By default only trusted users are allowed to use this part of gradebook. It can not be exploited by students.</p></p> http://moodle.org/mod/forum/discuss.php?d=123858&parent=542778