Security Announcements

MSA-12-0023: External enrolment plugin context check issue

Mon, 19 Mar 2012 05:57:57 GMT

by Michael de Raadt.

Topic:	/enrol/externallib.php method core_enrol_external .get_enrolled_users() uses undefined $context and $coursecontext's in 3 has_capability() calls
Severity:	Major
Versions affected:	2.2 to 2.2.1+
Reported by:	Petr Škoda
Issue no.:	MDL-31178
CVE Identifier:	CVE-2012-1170
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31178

Description:

Capability checks in the external enrolment plugin were not being performed thoroughly enough.

MSA-12-0022: Security conflict in Web services

Mon, 19 Mar 2012 05:56:19 GMT

by Michael de Raadt.

Topic:	HTML5 apps cannot call Web services functions if an HTTP resource is retrieved from the Moodle installation
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+
Reported by:	Juan Leyva
Workaround:	Disable Web services
Issue no.:	MDL-30495
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30495

Description:

HTML5 apps were being sent cookies which, when sent in later access requests, would cause the Web services to block them.

MSA-12-0021: Course information leak through tags

Mon, 19 Mar 2012 05:54:42 GMT

by Michael de Raadt.

Topic:	Adding Tag to an unavailable course makes it visible to students
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+
Reported by:	Ivo Šmelhaus
Workaround:	Don't enable block_tags_showcoursetags
Issue no.:	MDL-31466
CVE Identifier:	CVE-2012-1161
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31466

Description:

Courses identifiable by tags were being displayed in a tag search even when the courses were hidden.

MSA-12-0020: Forum subscription permission issue

Mon, 19 Mar 2012 05:53:22 GMT

by Michael de Raadt.

Topic:	Not enrolled users (admins...) are able to subscribe/unsubscribe themselves via mod/forum/index.php
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+
Reported by:	Eloy Lafuente
Issue no.:	MDL-31426
CVE Identifier:	CVE-2012-1160
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31426

Description:

Administrators and managers were able to subscribe to forums in courses they were not involved in without a permission check.

MSA-12-0019: Overview report and hidden course issue

Mon, 19 Mar 2012 05:51:35 GMT

by Michael de Raadt.

Topic:	Overview report shows hidden courses
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+
Reported by:	Mark Nelson
Issue no.:	MDL-29892
CVE Identifier:	CVE-2012-1159
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29892

Description:

Users unable to see hidden courses were able to see them in the overview report.

MSA-12-0018: Course information leak in Gradebook export

Mon, 19 Mar 2012 05:49:33 GMT

by Michael de Raadt.

Topic:	Gradeboook export allows role that cannot see hidden grades to export all grade and hidden is viewable
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+
Reported by:	Kathryn Fortin
Issue no.:	MDL-29080
CVE Identifier:	CVE-2012-1158
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29080

Description:

Users unable to see hidden grade items were able to view this information in an export.

MSA-12-0017: Personal information leak issue

Mon, 19 Mar 2012 05:47:08 GMT

by Michael de Raadt.

Topic:	'Full name format' set to 'First name' within 'Site Policies', but breadcrumbs show First + Last Name.
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by:	John Fitchett
Workaround:	Use lang file based full-name display
Issue no.:	MDL-31463
CVE Identifier:	CVE-2012-1169
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31463

Description:

When the administrative setting to display users' names was set to first name only, users' full names were still appearing in page breadcrumbs.

MSA-12-0016: Default repository capabilities issue

Mon, 19 Mar 2012 05:45:19 GMT

by Michael de Raadt.

Topic:	authenticated user "view" capability set to "allow" for all repos
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by:	Andrea Bicciolo
Workaround:	Manually change capability for repositories
Issue no.:	MDL-30452
CVE Identifier:	CVE-2012-1157
Changes (master):	http://git.moodle.org/gw?p=moodle.git;a=commit;h=246c2cb8e5af71a7d7c605b8fc9f9563e0fb3bc4

Description:

Not all repositories are intended for student use, however all repositories were viewable by all users by default. This change will affect new installations only. Existing site admins should review their repository capabilities.

MSA-12-0015: Backup and private files issue

Mon, 19 Mar 2012 05:42:36 GMT

by Michael de Raadt.

Topic:	Backup with user files includes users' private files
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by:	Ralf Hilgenstock
Workaround:	Disable private files
Issue no.:	MDL-29248
CVE Identifier:	CVE-2012-1156
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29248

Description:

Course backups were including users' private files unnecessarily.

MSA-12-0014: Password and Web services issue

Mon, 19 Mar 2012 05:41:16 GMT

by Michael de Raadt.

Topic:	core_user_update_users user password is reset if not specified
Severity:	Minor
Versions affected:	2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by:	Fábio Souto
Workaround:	Turn off web services
Issue no.:	MDL-30878
CVE Identifier:	CVE-2012-1168
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30878

Description:

A Web service function for updating user profiles was resetting user passwords when they were not supplied with update information.