Security announcements

MSA-17-0007: Global search displays user names for unauthenticated users

от Marina Glancy -
Description: Global search does not respect "Force login for profiles" setting and displays user names to guests when it should not (User profiles were still not displayed)
Issue summary: Global search display user names, for unauthenticated user search
Severity/Risk: Minor
Versions affected: 3.2 to 3.2.1
Versions fixed: 3.2.2
Reported by: Nadav Kavalerchik
Issue no.: MDL-56526
CVE identifier: CVE-2017-2643
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56526
Обсудить эту тему  (Пока 0 ответов)

MSA-17-0005: SQL injection via user preferences

от Marina Glancy -
Description: PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services.
Issue summary: Remote Code Execution @ 3.2.1
Severity/Risk: Serious
Versions affected: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions
Versions fixed: 3.2.2, 3.1.5, 3.0.9 and 2.7.19
Reported by: Netanel Rubin
Issue no.: MDL-58010
CVE identifier: CVE-2017-2641
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010
Обсудить эту тему  (Пока 0 ответов)

MSA-17-0004: XSS in assignment submission page

от Marina Glancy -
Description: HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it
Issue summary: XSS in assignment submission page
Severity/Risk: Minor
Versions affected: 3.2 and 3.1 to 3.1.3
Versions fixed: 3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 as a precaution)
Reported by: Ago Luberg and Wael AbuSeada
Issue no.: MDL-57580
CVE identifier: CVE-2017-2578
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580
Обсудить эту тему  (Пока 0 ответов)

MSA-17-0003: PHPMailer vulnerability in no-reply address

от Marina Glancy -
Description: Security vulnerability was reported against PHPMailer, third party library used by Moodle. As a result Moodle improved validation of no-reply address (that can only be configured by admin), all other fields were already properly sanitized. This issue only affect sites that leave $CFG->smtphosts empty.
Issue summary: Address the vulnerabilities in recent PHPMailer 5.2.x
Severity/Risk: Serious
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Matteo Scaramuccia
Issue no.: MDL-57531
Workaround: Define $CFG->noreplyaddress and $CFG->supportemail in config.php
CVE identifier: CVE-2016-10045 (PHPMailer)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57531
Обсудить эту тему  (Пока 0 ответов)

MSA-17-0002: Incorrect sanitation of attributes in forums

от Marina Glancy -
Description: Forum post author can change too many fields when editing the post
Issue summary: Incorrect sanitation of attributes
Severity/Risk: Minor
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Anshul Jain
Issue no.: MDL-56225
CVE identifier: CVE-2017-2576
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56225
Обсудить эту тему  (Пока 0 ответов)

MSA-17-0001: System file inclusion when adding own preset file in Boost theme

от Marina Glancy -
Description: It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode.
Issue summary: System file inclusion when adding own preset file (Boost theme)
Severity/Risk: Minor
Versions affected: 3.2
Versions fixed: 3.2.1
Reported by: Frédéric Massart
Issue no.: MDL-56992
Workaround: Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied
CVE identifier: -
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56992
Обсудить эту тему  (Пока 0 ответов)

MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data.

от Marina Glancy -
Description: Hopefully production sites never have debugging mode enabled and this is more of an improvement limiting the information returned in web services error messages.
Issue summary: When debugging is enabled, error exceptions returned from webservices could contain private data.
Severity/Risk: Serious
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6 and 2.9 to 2.9.8
Versions fixed: 3.1.3, 3.0.7 and 2.9.9
Reported by: Damyon Wiese
Issue no.: MDL-56268
CVE identifier: none (this issue does not qualify for CVE)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56268
Обсудить эту тему  (Пока 0 ответов)

MSA-16-0025: Capability to view course notes is checked in the wrong context

от Marina Glancy -
Description: Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course
Issue summary: Notes has_capability check not called for correct context
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Andrew Nicols
Issue no.: MDL-51347
CVE identifier: CVE-2016-8644
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51347
Обсудить эту тему  (Пока 0 ответов)

MSA-16-0024: Non-admin site managers may accidentally edit admins via web services

от Marina Glancy -
Description: Normally in Moodle web interface non-admin users with capability to edit other users can not edit information about admins, this was not respected in one of the web services. This can only be a security vulnerability if this WS was exposed to some external service; it is not exposed to the mobile app
Issue summary: Prevent some users to be updated by update_users ws
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Juan Leyva
Issue no.: MDL-56065
CVE identifier: CVE-2016-8643
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56065
Обсудить эту тему  (Пока 0 ответов)

MSA-16-0023: Question engine allows access to files that should not be available

от Marina Glancy -
Description: User can guess URL of the file embedded in a question that they are not able to access and download it using identificator of a question they can access
Issue summary: Question engine allows access to files that I should not be able to view
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Martin Gauk
Issue no.: MDL-53744
CVE identifier: CVE-2016-8642
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53744
Обсудить эту тему  (Пока 0 ответов)