Moodle Security

MSA-08-0018: customised PhpMyAdmin package upgraded to 2.11.8.1

Tue, 29 Jul 2008 19:56:52 WST

by Petr Škoda (škoďák).

Topic:	customised PhpMyAdmin upgraded to 2.11.8.1
Severity:	Major
Versions affected:	all
Reported by:	upstream - PMASA-2008-6
Issue no.:	MDL-15872
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

Added protection against cross-frame scripting. Please note that the XSS problem in setup.php does not affect Moodle because this file is not included in the customised Moodle package.

MSA-08-0017: customised PhpMyAdmin upgraded to 2.11.7.1

Wed, 16 Jul 2008 15:21:22 WST

by Petr Škoda (škoďák).

Topic:	customised PhpMyAdmin upgraded to 2.11.7.1
Severity:	Major
Versions affected:	all
Reported by:	upstream
Issue no.:	MDL-15665
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

A bug that allows XSRF/CSRF by manipulating the db, convcharset and collation_connection parameters was discovered in PhpMyAdmin and fixed there (thanks to YGN Ethical Hacker Group. Details not disclosed yet). Our local optional add-on based on phpmyadmin has now also been updated with this fix.

MSA-08-0016: Email could be changed in profile without confirmation

Wed, 16 Jul 2008 14:29:34 WST

by Petr Škoda (škoďák).

Topic:	Email could be changed in profile without confirmation
Severity:	Major
Versions affected:	< 1.8.6, <1.9.2
Reported by:	multiple external reports
Issue no.:	MDL-13811
Solution:	upgrade to 1.9.2 or 1.8.6. Patch is provided at ~~MDL-13811~~

Description:

In previous versions of Moodle, a user who is already authenticated could change their own email address without having to prove they could access that new email account. In Moodle 1.8.6 and 1.9.2 a new setting called emailchangeconfirmation (default: on) now forces all users on the site to go through a confirmation process whenever they want to change their email account. Moodle 1.6.x and 1.7.x sites have not had this new feature added yet - we highly recommend upgrading to 1.9.x if this concerns you.

MSA-08-0015: accessible profiles of deleted users

Wed, 16 Jul 2008 14:25:35 WST

by Petr Škoda (škoďák).

Topic:	accessible profiles of deleted users
Severity:	Major
Versions affected:	<1.6.7, <1.7.5, <1.8.6, <1.9.2
Reported by:	Debbie McDonald and Mauno Korpelainen
Issue no.:	MDL-15516
Solution:	upgrade to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/user/view.php?r1=1.123.2.8&r2=1.123.2.9

Description:

Profiles of deleted users were accessible which allowed spammers to abuse user profiles on some sites. Also please make sure that you have "Force users to login for profiles" set as enabled in admin settings if your site allows registering of new users.

MSA-08-0014: potential sql injection in events handling code

Wed, 16 Jul 2008 14:22:14 WST

by Petr Škoda (škoďák).

Topic:	potential sql injection in events handling code
Severity:	Minor
Versions affected:	1.9.0 and 1.9.1 only
Reported by:	internal
Issue no.:	MDL-15552
Solution:	upgrade to 1.9.2 or any recent nightly; upgrade needed only if custom code uses Events API

Description:

During internal review it was discovered that the new Events framework might be vulnerable to sql attacks. This code is not currently used within Moodle core, but sites 3rd party modifications could be vulnerable. If you have any code using Events API please read the details in http://tracker.moodle.org/browse/MDL-9983 on how to update your code to comply with this change. Please note that the changes in 1.9.2 are not backwards compatible.

MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page

Wed, 16 Jul 2008 14:20:11 WST

by Petr Škoda (škoďák).

Topic:	CSRF (Cross-site Request Forgery) on Moodle edit profile page
Severity:	Major
Versions affected:	<1.6.7, <1.7.5
Reported by:	Amir Azam and Adrian Pastor of ProCheckUp Ltd. (www.procheckup.com)
Issue no.:	MDL-15450
Solution:	upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch http://cvs.moodle.org/moodle/user/edit.php?r1=1.112.2.4.2.1&r2=1.112.2.4.2.2 + http://cvs.moodle.org/moodle/user/Attic/edit.html?r1=1.88.2.3&r2=1.88.2.3.2.1

Description:

ProCheckup discovered that user profile page in 1.6.x and 1.7.x sites are vulnerable to CSRF (Cross-site Request Forgery) attacks. Versions 1.8 and above are not vulnerable due to to increased protection the forms library enforces. We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.

MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)

Wed, 16 Jul 2008 14:18:16 WST

by Petr Škoda (škoďák).

Topic:	Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)
Severity:	Major
Versions affected:	1.9.0, 1.9.1
Reported by:	internal
Issue no.:	MDL-15079
Solution:	upgrade to 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/group/members.php?r1=1.3.2.4&r2=1.3.2.5

Description:

We have discovered that systems running on MSSQL or Oracle databases are vulnerable to non-persistent cross-site scripting (XSS) attack. This vulnerability was caused by incorrect escaping when using database engines which require sybase style quoting (MSSQL and Orcale Only).

MSA-08-0011: Potential webroot disclosures warning

Wed, 16 Jul 2008 14:15:49 WST

by Petr Škoda (škoďák).

Topic:	Potential webroot disclosures warning
Severity:	Minor
Versions affected:	all version
Reported by:	Richard Brain of ProCheckUp Ltd. (www.procheckup.com)
Issue no.:	MDL-15413
Solution:	make sure display_errors is disabled in PHP configuration; 1.8.6 and 1.9.2 contains new warning for administrators

Description:

ProCheckup discovered that several scripts display errors if display_errors enabled in PHP configuration. This problem will be fully fixed in later Moodle versions because it requires modification of many files and review of all code from upstream, in the meantime please make sure you server is configured properly - see http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors

We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.

MSA-08-0010: sql injection in HotPot module

Wed, 16 Jul 2008 14:13:02 WST

by Petr Škoda (škoďák).

Topic:	sql injection in HotPot module
Severity:	Major
Versions affected:	<1.6.7, <1.7.5, <1.8.6, <1.9.2
Reported by:	internal
Issue no.:	MDL-15184
Solution:	upgrade to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/mod/hotpot/report.php?r1=1.8.6.1&r2=1.8.6.2

Description:

We have discovered that Hotpot module code in report.php was vulnerable to sql injection attacks.

MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter

Wed, 16 Jul 2008 14:10:16 WST

by Petr Škoda (škoďák).

Topic:	Persistent Cross-site Scripting (XSS) on blog entry title parameter
Severity:	Major
Versions affected:	<1.6.7, <1.7.5
Reported by:	Adrian Pastor and Amir Azam of ProCheckUp Ltd. (www.procheckup.com)
Issue no.:	MDL-15392
Solution:	upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch http://cvs.moodle.org/moodle/blog/lib.php?r1=1.38.6.3&r2=1.38.6.2

Description:

ProCheckup discovered that 1.6.x and 1.7.x sites with enabled blogs are vulnerable to persistent Cross-site Scripting (XSS) attacks through blog entry titles. We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.