serious problem with the TeX and algebra filters

serious problem with the TeX and algebra filters

by Khurram Iqbal -
Number of replies: 3

Dear All,

We received this email today? Can anyone please assist and explain what to do ?

Regards,

------------------------------------------------------------------------------

Hi Moodle Admins,

A serious problem with the TeX and algebra filters (used for mathematics notation in Moodle) has been found which could allow attackers to access server files.

If you don't use TeX and algebra notation in your site then you should:

A) Simple disable the TeX and algebra filters completely for now:

Admin > Modules > Filters > Manage Filters

Otherwise you should:

B) Update your Moodle site to the latest weekly version from this week, or

C) Copy the latest files from filter/tex/* into your current install.

The full copy of the security notice MSA-09-0009 is shown below - this will be added to

 

 

Topic: TeX filter file disclosure

Severity: Critical

Versions affected: < 1.9.5, < 1.8.9, 1.7.x, 1.6.x Reported by: Christian Eibl Issue no.: MDL-18552

Name: CVE-2009-1171

Solution: update to latest weeklies or copy latest filter/tex/*.* into your current install

Workaround: disable or delete TeX and Algebra filters completely

Description:

Christian Eibl reported and helped fix a serious TeX filter problem.

Unfortunately the details were released before we had chance to inform administrators of registered Moodle sites. Please update your servers immediately or disable the TeX and Algebra filters until you are able to update.

Disclosure link:

------------------------------------------------------------------------------

http://moodle.org/security to inform the wider Moodle community sometime next week.http://packetstormsecurity.org/0903-exploits/moodle-disclose.txt
Average of ratings: -
In reply to Khurram Iqbal

Re: serious problem with the TeX and algebra filters

by Mauno Korpelainen -

I think that email explains it all: the main message is

- if you use TeX you should either upgrade your moodle to the latest stable version for example from http://download.moodle.org/ or you can download the latest package and just replace the old files of folder filter/tex with the new files

- if you can't upgrade or replace old vulnerable files you can simply disable TeX filter from Administration menu Admin > Modules > Filters > Manage Filters

- if you have never used TeX then the filter is by default disabled and you don't need to do anything

Algebra filter is a sub filter of TeX filter and it does not allow all the commands that TeX filter does and it uses by default Mimetex that should not be vulnerable in this case. The main vulnerability was in TeX filter using some other distribution of latex than Mimetex.

Average of ratings: Useful (1)
In reply to Khurram Iqbal

Re: serious problem with the TeX and algebra filters

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Hi,

This should not be posted to the public forums.

It was posted to Moodle admins privately for a reason (which was to give everyone a chance to upgrade before it went public)

We obviously need to come up with some way of translating these emails though! smile

Average of ratings: -