Moodle.org: Security news

Security Announcements

Topic:	Customised PhpMyAdmin upgraded to 2.11.9.5
Severity:	Major
Versions affected:	all
Reported by:	upstream - PMASA-2009-1, PMASA-2009-2, PMASA-2009-3, PMASA-2009-4
Issue no.:	MDL-19234
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs
Workaround:	delete admin/mysql/*

Description:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-1
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-2
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-3
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-4

Please note that some of these vulnerabilities may not be exploitable due to our specific integration changes.

Topic:	SQL injections when importing outcomes
Severity:	Major
Versions affected:	< 1.9.5
Reported by:	internal review
Issue no.:	MDL-19036
Solution:	upgrade to 1.9.5

Description:
When reviewing the import outcomes code, it was discovered that incorrect coding allowed SQL injections. By default only trusted users are allowed to use this part of gradebook. It can not be exploited by students.

Topic:	Glossary, database and forum ratings are not verified after submission
Severity:	Major
Versions affected:	< 1.9.5, < 1.8.9, 1.7.x, 1.6.x
Reported by:	Eloy Lafuente
Issue no.:	MDL-18058, MDL-18059 and MDL-17365
Solution:	upgrade to 1.9.5, 1.8.9 or latest 1.6.9+ and 1.7.7+ weekly builds

Description:
Eloy Lafuente discovered that submitted ratings are not verified after submission, which may alter results and affect final grades.

Topic:	Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers
Severity:	Major
Versions affected:	< 1.9.5, < 1.8.9, 1.7.x, 1.6.x
Reported by:	Marc-Robin Wendt
Issue no.:	MDL-18415
Solution:	upgrade to 1.9.5 or 1.8.9
Workaround:	use default internal unzip method

Description:
Marc-Robin Wendt reported the problem and proposed a solution of how to eliminate symbolic links when unzipping files. Info-zip executables can zip and unzip symbolic links. By default only trusted users are allowed to extract zip files. This should not be exploitable by students unless the roles are misconfigured or 3rd party extensions are installed.

Topic:	TeX filter file disclosure
Severity:	Major
Versions affected:	<= 1.9.4, <= 1.8.8, <= 1.7.7, <=1.6.9
Reported by:	Christian Eibl
Issue no.:	MDL-18552, CVE-2009-1171
Solution:	update to latest weeklies or copy latest filter/tex/. and filter/algebra/. into your current install
Workaround:	disable or delete TeX and Algebra filters completely

Description:
Christian Eibl reported and helped fix a serious TeX filter problem. Unfortunately the details were released before we had chance to inform administrators of registered Moodle sites. Please update your servers immediately or disable the TeX and Algebra filters until you are able to update.

One of the most common security issues that we see in Moodle sites is profile spam.

Profile spam is primarily a problem on sites with the combination of these two settings:

email authentication is enabled, allowing people to self-create an account on the site
the admin setting forceloginforprofiles is disabled, allowing anyone to see and link to user profiles

Some older versions of Moodle had these as default.

The problems with these settings is that spammers can create a page on the Moodle site which they can fill with links and pictures of porn and other nasty stuff. This in turn comes up in Google searches for those things, and is used to boost ratings to porn sites or hacking sites designed to take over your personal computer. Note that this content is designed for people using search engines, and is usually not available from within the Moodle site itself (since spammers don't join any courses) so users and admins are usually not even aware their site is having this problem.

Please pass the word to all Moodle admins that you know to check these Moodle site settings and make sure their sites are not vulnerable to profile spam. Email authentication should be disabled if not needed, and if it can't then forceloginforprofiles should definitely be enabled.

Please also use our spam-cleaning tool to scan your site to find affected profiles and delete them. This page in the docs has more details: Reducing_spam_in_Moodle and you can also get help in the Security and Privacy forum.

Topic:	CSRF vulnerability in forum code
Severity:	Major
Versions affected:	< 1.9.4, < 1.8.8, < 1.7.7
Reported by:	Kevin Madura
Issue no.:	MDL-17799, CVE-2009-0499
Solution:	update to latest releases, weeklies or http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.14&r2=1.154.2.15 http://cvs.moodle.org/moodle/mod/forum/prune.html?r1=1.8&r2=1.8.4.1 http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.15&r2=1.154.2.16

Description:
Kevid Madura reported CSRF problem, which can be abused for unauthorised deleting of forum posts.

Topic:	Missing input validation in logs allows potential XSS attacks
Severity:	Major
Versions affected:	< 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by:	Full Name
Issue no.:	MDL-17799, CVE-2009-0500
Solution:	update to latest releases, weeklies or http://cvs.moodle.org/moodle/course/lib.php?r1=1.538.2.66&r2=1.538.2.67

Description:
Some information stored in log table was not properly validated before displaying on log report.

Topic:	Calendar export may allow brute force attacks
Severity:	Major
Versions affected:	< 1.9.4, < 1.8.8
Reported by:	Daniel Cabezas
Issue no.:	MDL-17203, CVE-2009-0501
Solution:	update to latest releases or weeklies

Description:
Calendar export was disclosing sensitive information which could allow brute force attacks on user accounts.

Topic:	Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability
Severity:	Major
Versions affected:	< 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by:	http://www.securityfocus.com/bid/32402
Issue no.:	MDL-17368 / CVE-2008-5153
Solution:	update to latest releases or removing directory: lib/editor/htmlarea/plugins/SpellChecker/

Description:
See bug for details - it is safe to delete that directory because we use different spellchecker.

Older topics ...

Skip Hot security topics

How to fight spammers

Skip Register for alerts

Did you know if you register your Moodle site with moodle.org you can receive early email alerts of security issues? To register, just visit Admin > Notifications in your own Moodle site.

Skip Report new issues

Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team (led by Petr Skoda) is able to resolve it and publish fixes to registered Moodle sites.

Skip Keep your Moodle up-to-date

It's good practice to always use the latest stable release of the version you are using. For example, it is very safe and easy to go from 1.9.1 to the latest 1.9.x, because the stable branches generally don't contain any new features (just big fixes). CVS is a very easy way to do this.

For more information and alternative ideas, see the Security Documentation.

Skip Check your security report

If you have Moodle 1.9.4 and later, you'll find a new Security Report under Admin -> Reports -> Security

Give it a try! It'll check for kinds of potential security problems that you might have in your configuration.

Skip Recent security and privacy discussions

You are here

Security Announcements

Hot security topics

Register for alerts

Report new issues

Keep your Moodle up-to-date

Check your security report

Recent security and privacy discussions