| Description: | Parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS are affected but especially vulnerable are Windows servers |
| Issue summary: | Preauthenticated Local File Disclosure |
| Severity/Risk: | Serious |
| Versions affected: | 2.8 to 2.8.2, 2.7 to 2.7.4, 2.6 to 2.6.7 and earlier unsupported versions. The earlies affected version is 2.3 on Windows servers and 2.5 on servers with other OS. It is highly recommended to apply patch manually if you are running unsupported version or otherwise unable to upgrade. |
| Versions fixed: | 2.8.3, 2.7.5 and 2.6.8 |
| Reported by: | Emiel Florijn |
| Issue no.: | MDL-48980 and MDL-48990 |
| Workaround: | Prevent access to URLs containing "../" or "..\" in web server configuration |
| CVE identifier: | CVE-2015-1493 (also aliased as CVE-2015-0246) |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980 |
MSA-15-0009: Directory Traversal Attack possible through some files serving JS
by Marina Glancy -
Number of replies: 0