| Description: | It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode. |
| Issue summary: | System file inclusion when adding own preset file (Boost theme) |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 |
| Versions fixed: | 3.2.1 |
| Reported by: | Frédéric Massart |
| Issue no.: | MDL-56992 |
| Workaround: | Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied |
| CVE identifier: | - |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56992 |
MSA-17-0001: System file inclusion when adding own preset file in Boost theme
by Marina Glancy -
Number of replies: 0