Usted está aquí

  • Home
  • Security news
 
 

Security Announcements

RSS
Imagen de Petr Škoda (skodak)
MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability
de Petr Škoda (skodak) - martes, 3 de noviembre de 2009, 04:09
 
Topic: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability
Severity/Risk: Critical (only servers using Oracle and MS SQL databases)
Versions affected: <1.9.6
Reported by: Sam Moffatt
Issue no.: MDL-19452
Solution: upgrade to latest weekly build or 1.9.6
Workaround: none


Description:
Sam Moffatt discovered a potential problem in the way ADODB library is quoting special characters when the database engine is using Sybase style quoting.

Imagen de Petr Škoda (skodak)
MSA-09-0020: Teachers can view students' grades in all courses in the overview report
de Petr Škoda (skodak) - martes, 3 de noviembre de 2009, 03:52
 
Topic: Teachers can view students' grades in all courses in the overview report
Severity/Risk: Minor
Versions affected: <1.9.6
Reported by: Ratana Lim
Issue no.: MDL-20355
Solution: upgrade to latest weekly build or 1.9.6
Workaround: remove the overview report link - see http://docs.moodle.org/en/Simplifying_the_gradebook


Description:
Teachers could view students' grades in all courses, including courses for which they do not have teacher rights, in the overview report.

Imagen de Petr Škoda (skodak)
MSA-09-0019: SQL injection in update_record
de Petr Škoda (skodak) - martes, 3 de noviembre de 2009, 03:50
 
Topic: SQL injection in update_record
Severity/Risk: Critical
Versions affected: <1.9.6, <1.8.10, 1.7.x
Reported by: Georg-Christian Pranschke
Issue no.: MDL-20309
Solution: upgrade to latest weekly builds, 1.9.6 or 1.8.10
Workaround: apply patches:
  • http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.116.2.32&r2=1.116.2.33
  • http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.91.2.23&r2=1.91.2.24


Description:
Georg-Christian Pranschke discovered a serious problem in update_record function. This problem may allow any registered user to exploit several different scripts.

Imagen de Petr Škoda (skodak)
MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type
de Petr Škoda (skodak) - martes, 3 de noviembre de 2009, 03:46
 
Topic: Incorrect escaping when updating first post in a single simple discussion forum type
Severity/Risk: Minor
Versions affected: <1.9.6, <1.8.10
Reported by: Nicola Vitacolonna
Issue no.: MDL-20555
Solution: upgrade to latest weekly build or 1.9.6
Workaround: none


Description:
Nicola Vitacolonna discovered forum introduction is incorrectly escaped when editing the first post of a single simple discussion forum. This can potentially lead to SQL injection attacks by teachers. Students can not exploit this problem.

Imagen de Petr Škoda (skodak)
MSA-09-0017: Upgrade code in 1.9 does not escape tags properly
de Petr Škoda (skodak) - martes, 3 de noviembre de 2009, 03:43
 
Topic: Upgrade code 1.9 does not escape tags properly
Severity/Risk: Minor
Versions affected: <1.9.6
Reported by: Matt Oquist
Issue no.: MDL-19709
Solution: do not use 1.9.0-1.9.5 when upgrading from any previous version


Description:
The upgrade code does not properly escape tags properly when upgrading from any version before 1.9.0.

Imagen de Petr Škoda (skodak)
MSA-09-0016: Email not properly escaped on user edit page
de Petr Škoda (skodak) - martes, 3 de noviembre de 2009, 03:41
 
Topic: Email not properly escaped on user edit page
Severity/Risk: Minor
Versions affected: <1.9.6
Reported by: Alan Trick
Issue no.: MDL-20295
Solution: upgrade to latest weekly build or 1.9.6
Workaround: disable email change confirmation (not recommended)


Description:
Alan Trick discovered that the email change confirmation code does not escape the email addresses properly. This problem is marked as minor because the email address is validated and can not contain an arbitrary text.

Imagen de Petr Škoda (skodak)
MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6
de Petr Škoda (skodak) - jueves, 15 de octubre de 2009, 02:12
 
Topic:
Customised PhpMyAdmin upgraded to 2.11.9.6
Severity:
Major
Versions affected:
 all
Reported by:
upstream - PMASA-2009-6; CVE-2009-3696 and CVE-2009-3697
Issue no.:
 MDL-20553
Solution:
 Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs
Workaround:
delete admin/mysql/*


Description:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-6

Imagen de Petr Škoda (skodak)
MSA-09-0014: mimeTeX vulnerabilities
de Petr Škoda (skodak) - martes, 21 de julio de 2009, 17:00
 
Topic: mimeTeX vulnerabilities
Severity/Risk: Major
Versions affected: all
Reported by: upstream - http://www.ocert.org/advisories/ocert-2009-010.html
Issue no.: MDL-19832, CVE-2009-1382
Solution: upgrade to latest weekly built, stable CVS, nightly build or copy new mimetex.* executables into any older release
Workaround: disable tex and algebra filters


Description:
John Forkosh fixed several serious vulnerabilities in mimeTeX binary which is used in Moodle by TeX and Algebra filter. This was rated as "critical" upstream, however the risk is slightly less on Moodle because this filter can be disabled (and is disabled by default). In addition, the vulnerability is only exposed to valid users who have logged in to Moodle.

Imagen de Petr Škoda (skodak)
MSA-09-0013: Customised PhpMyAdmin upgraded to 2.11.9.5
de Petr Škoda (skodak) - miércoles, 20 de mayo de 2009, 22:28
 
Topic: Customised PhpMyAdmin upgraded to 2.11.9.5
Severity: Major
Versions affected: all
Reported by: upstream - PMASA-2009-1, PMASA-2009-2, PMASA-2009-3, PMASA-2009-4
Issue no.: MDL-19234
Solution: Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs
Workaround: delete admin/mysql/*


Description:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-1
 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-2
 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-3
 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-4

Please note that some of these vulnerabilities may not be exploitable due to our specific integration changes.

Imagen de Petr Škoda (skodak)
MSA-09-0012: SQL injections when importing outcomes
de Petr Škoda (skodak) - miércoles, 20 de mayo de 2009, 19:01
 
Topic: SQL injections when importing outcomes
Severity: Major
Versions affected: < 1.9.5
Reported by: internal review
Issue no.: MDL-19036
Solution: upgrade to 1.9.5


Description:
When reviewing the import outcomes code, it was discovered that incorrect coding allowed SQL injections. By default only trusted users are allowed to use this part of gradebook. It can not be exploited by students.

Temas antiguos ...



 
 
Saltar Hot security topics
 

Hot security topics

 
Saltar Register for alerts
 

Register for alerts

Did you know if you register your Moodle site with moodle.org you can receive early email alerts of security issues? To register, just visit Admin > Notifications in your own Moodle site.
 
Saltar Report new issues
 

Report new issues

Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team (led by Petr Skoda) is able to resolve it and publish fixes to registered Moodle sites.

 
Saltar Keep your Moodle up-to-date
 

Keep your Moodle up-to-date

It's good practice to always use the latest stable release of the version you are using. For example, it is very safe and easy to go from 1.9.1 to the latest 1.9.x, because the stable branches generally don't contain any new features (just big fixes). CVS is a very easy way to do this.

For more information and alternative ideas, see the Security Documentation.

 
Saltar Check your security report
 

Check your security report

If you have Moodle 1.9.4 and later, you'll find a new Security Report under Admin -> Reports -> Security

Give it a try! It'll check for kinds of potential security problems that you might have in your configuration.
 
Saltar Recent security and privacy discussions