Security announcements

MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page

 
Picture of Petr Skoda
MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page
 
Topic: CSRF (Cross-site Request Forgery) on Moodle edit profile page
Severity: Major
Versions affected: <1.6.7, <1.7.5
Reported by: Amir Azam and Adrian Pastor of ProCheckUp Ltd. (www.procheckup.com)
Issue no.: MDL-15450
Solution: upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch http://cvs.moodle.org/moodle/user/edit.php?r1=1.112.2.4.2.1&r2=1.112.2.4.2.2 + http://cvs.moodle.org/moodle/user/Attic/edit.html?r1=1.88.2.3&r2=1.88.2.3.2.1

Description:


ProCheckup discovered that user profile page in 1.6.x and 1.7.x sites are vulnerable to CSRF (Cross-site Request Forgery) attacks. Versions 1.8 and above are not vulnerable due to to increased protection the forms library enforces. We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.