Security announcements | Moodle.org

MSA-13-0023: Permission issue in blog comments

by Michael de Raadt - Tuesday, 21 May 2013, 8:11 AM

Description:	There was no check of permissions for viewing comments on blog posts.
Issue summary:	Blog comment validation should verify that the user can view a post.
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Dan Poltawski
Issue no.:	MDL-37245
CVE identifier:	CVE-2013-2082
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0022: Information leak in hub registration

by Michael de Raadt - Tuesday, 21 May 2013, 8:09 AM

Description:	When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen.
Issue summary:	Moodle send site information to a hub even though it's unchecked
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Jérôme Mouneyrac
Issue no.:	MDL-37822
CVE identifier:	CVE-2013-2081
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0021: Potential information leak in Gradebook

by Michael de Raadt - Tuesday, 21 May 2013, 8:06 AM

Description:	The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades.
Issue summary:	The method for figuring out showtotalsifcontainhidden on the overview report is flawed
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions
Versions fixed:	2.5, 2.4.4 and 2.3.7
Reported by:	Andrew Davis
Issue no.:	MDL-37475
CVE identifier:	CVE-2013-2080
Workaround:	Ensure all courses have the same value for hiding grades in the gradebook. This is set at Administration > Grades > Course grade settings > Hide totals if they contain hidden items
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0020: Capability issue in Assignment

by Michael de Raadt - Tuesday, 21 May 2013, 8:01 AM

Description:	The assignment module was not checking capabilities for users downloading all assignments as a zip.
Issue summary:	Students can download assignments submitted by other students
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:	2.5, 2.4.4 and 2.3.7
Reported by:	Phillip Franks
Issue no.:	MDL-38443
CVE identifier:	CVE-2013-2079
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0019: Unauthorised settings editing through WebDav repository

by Michael de Raadt - Monday, 25 March 2013, 1:43 PM

Description:	Any user able to view WebDav repositories was able to view, edit and delete site-wide WebDav repositories
Issue summary:	Site-wide WebDAV repository instances options are accessible
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-37852
CVE identifier:	CVE-2013-1836
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0018: Personal information leak through repositories

by Michael de Raadt - Monday, 25 March 2013, 1:39 PM

Description:	Users able to use "login as" were able to see the personal repository content of the user they were impersonating
Issue summary:	Admin users logged in as another user have access to the content of their external repositories
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Andrew Nicols
Issue no.:	MDL-36426
CVE identifier:	CVE-2013-1835
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36426

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0017: Form manipulation issue in notes

by Michael de Raadt - Monday, 25 March 2013, 1:38 PM

Description:	By manipulating form elements it was possible to assign a note to a different user during editing
Issue summary:	Go to the edit notes form, change userid in the html with firebug => the targeted note user is changed
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (1.9 onwards)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Jérôme Mouneyrac
Issue no.:	MDL-37411
CVE identifier:	CVE-2013-1834
Workaround:	Disable notes
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0016: External Entity Injection through Zend library

by Michael de Raadt - Monday, 25 March 2013, 1:36 PM

Description:	Through the Zend library, clients of Moodle Web services were potentially able to reveal files on the server
Issue summary:	Zend XmlRpc: Local file disclosure via XXE injection
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-34284
CVE identifier:	CVE-2012-3363
Workaround:	Disable Web services
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0015: Cross-site scripting issue in Filepicker

by Michael de Raadt - Monday, 25 March 2013, 1:31 PM

Description:	It was possible to upload files with filenames containing HTML and JavaScript
Issue summary:	Code injection (XSS) possible in File Picker
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-37507
CVE identifier:	CVE-2013-1833
Workaround:	Avoid the filesystem repository on Linux file systems and the Google Docs/Drive repository
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37507

Permalink

Discuss this topic  (0 replies so far)

MSA-13-0014: Password revealed in WebDav repository

by Michael de Raadt - Monday, 25 March 2013, 1:30 PM

Description:	The password for a WebDav repository was not hidden on the repository configuration form
Issue summary:	WebDav repository password field is plain text allowing admin to see password
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	John Holmes
Issue no.:	MDL-37681
CVE identifier:	CVE-2013-1832
Workaround:	Avoid WebDav repositories requiring personal passwords
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37681

Permalink

Discuss this topic  (0 replies so far)