De acordo com a última mensagem enviada aos administradores cadastrados pelo Martin Dougiamas, as últimas versões estáveis 1.8.8+ e 1.9.4+ trazem uma série de itens adicionais visando aumentar a segurança do Moodle.
Veja abaixo a mensagem dele (em inglês):
Hello registered Moodle admins!
This is a notice to inform you about new stable releases of Moodle (on
all current stable branches) that fix some security issues, a number
of other bugs and even introduce some new features (such as privacy
enhancements and a new security report in 1.9.4).
See http://download.moodle.org for details! Each version there has
links to release notes and upgrading notes.
Below is a list of the security issues. We will not be publishing
these on moodle.org for a week, to give you a chance to upgrade your
sites first.
Thanks as usual to Petr Skodak for managing these security issues for us!
Cheers,
Martin Dougiamas,
Moodle Founder and Lead Developer
======================================================
MSA-09-0001
Topic: No way easy to remove pictures of deleted users
Severity: minor
Versions affected: <1.9.4, < 1.8.8
Reported by: Howard Miller
Issue no.: MDL-17065
Solution: update to latest releases, weeklies or replace
/user/pix.php; workaround is to remove images before deleting users or
delete from shell/ftp
Description:
Spammers or other vandals might upload unwanted images as avatars.
After deleting users there was no easy way to remove those images.
Solution was to ignore images of deleted users. See tracker for
details.
Note:
Exploits would be probably targeted at wikis, databases and glossaries
because admins usually delete forums posts because they are easy to
stop (==linked from profile).
Final solution should be implementation in 2.0 - full purging of user
accounts after delete which would remove all user data.
=============================================================
MSA-09-0002
Topic: User pix disclosure
Severity: minor
Versions affected: <1.9.4; < 1.8.8
Reported by: Juan Segarra Montesinos
Issue no.: MDL-17027
Solution: update to latest weeklies or replace /user/pix.php
workaround is to disable upload of avatars and remove all current images
Description:
User avatars did not have any login protection at all - intentionally.
Login is now required if you enable $CFG->forcelogin (login required
for all pages, disabled by default).
Note:
Exploit described in tracker. Please do not confuse this setting with
$CFG->forceloginforprofiles.
============================================
MSA-09-0003
Topic: Vulnerability in Snoopy 1.2.3
Severity: major
Versions affected: <1.9.4, <1.8.8, <1.7.7, <1.6.9
Reported by: Nigel McNie
Issue no.: MDL-17110 / CVE-2008-4796
Solution: update to latest releases, weeklies or patch lib/snoopy/*
Description:
Snoopy 1.2.3 library does incorrect shell command escaping when
fetching from https.
Note:
The easiest way to exploit this is probably RSS block on My moodle
page - any registered user.
Please note that Moodle 1.9.x uses Snoopy only if PHP Curl extension
NOT installed because we have patched magpie to use our
download_file_content() - see MDL-11845
===================================================
MSA-09-0004
Topic: XSS vulnerabilities in HTML blocks if "Login as" used
Severity: major
Versions affected: <1.9.4, <1.8.8, <1.7.7, <1.6.9
Reported by: The Rat
Issue no.: MDL-17236
Solution: update to latest releases or weeklies
http://cvs.moodle.org/moodle/blocks/html/config_instance.html?r1=1.6&r2=1.6.10.1
http://cvs.moodle.org/moodle/blocks/html/block_html.php?r1=1.8.22.6&r2=1.8.22.7
Description:
It was reported that there is a XSS vulnerability in HTML block, it
can be exploited if teacher or administrator uses "Login as" and goes
to MyMoodle or Blog page of that user.
==================================================
MSA-09-0005
Topic: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation
Vulnerability
Severity: major
Versions affected: <1.9.4, <1.8.8, <1.7.7, <1.6.9
Reported by: http://www.securityfocus.com/bid/32402
Issue no.: MDL-17368 / CVE-2008-5153
Solution: update to latest releases or removing directory:
lib/editor/htmlarea/plugins/SpellChecker/
Description:
see bug for details - it is safe to delete that directory because we
use different spellchecker
==================================================
MSA-09-0006
Topic: Calendar export may allow brute force attacks
Severity: major
Versions affected: <1.9.4
Reported by: Daniel Cabezas
Issue no.: MDL-17203
Solution: update to latest release
Description:
Calendar export was disclosing sensitive information which could allow
brute force attacks on user accounts.
====================================================
MSA-09-0007
Topic: missing input validation in logs allows potential XSS attacks
Severity: major
Versions affected: <1.9.4, <1.8.8, <1.7.7, <1.6.9
Reported by: Full Name
Issue no.: MDL-17799
Solution: update to latest releases
http://cvs.moodle.org/moodle/course/lib.php?r1=1.538.2.66&r2=1.538.2.67
Description:
Some information stored in log table was not properly validated before
displaying on log report.
====================================================
MSA-09-0008
Topic: CSRF vulnerability in forum code
Severity: major
Versions affected: <1.9.4, <1.8.8, <1.7.7
Reported by: Kevin Madura
Issue no.: MDL-17227
Solution: update to latest releases
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.14&r2=1.154.2.15
http://cvs.moodle.org/moodle/mod/forum/prune.html?r1=1.8&r2=1.8.4.1
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.15&r2=1.154.2.16
Description:
Kevin Madura reported a CSRF problem, which can be abused for
unauthorised deleting of forum posts.
--
You are receiving this email because you registered a Moodle site with Moodle.org
and chose to be added to this low-volume list of security notifications and other
important Moodle-related announcements for Moodle administrators.
To unsubscribe you can re-register your site (as above) and make sure you
turn the email option OFF in the registration form. You can also send
a blank email to sympa@lists.moodle.org with "unsubscribe securityalerts"
as the subject (from the email address that is subscribed).
See http://lists.moodle.org/info/securityalerts for more.