Description: | It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode. |
Issue summary: | System file inclusion when adding own preset file (Boost theme) |
Severity/Risk: | Minor |
Versions affected: | 3.2 |
Versions fixed: | 3.2.1 |
Reported by: | Frédéric Massart |
Issue no.: | MDL-56992 |
Workaround: | Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied |
CVE identifier: | - |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56992 |
MSA-17-0001: System file inclusion when adding own preset file in Boost theme
by Marina Glancy -
Number of replies: 0