Security announcements

MSA-13-0013: Server information revealed through exception messages

by Michael de Raadt -
Description: Exception messages were revealing server file system information
Issue summary: Server system path revealed through exception messages
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions
Versions fixed: 2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by: Mark Nielsen
Issue no.: MDL-36901
CVE identifier: CVE-2013-1831
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36901
Discuss this topic  (0 replies so far)

MSA-13-0012: Information leak in course profiles

by Michael de Raadt -
Description: Course profiles were accessible without logging in as a real user
Issue summary: Course profiles open to google even when forceloginforprofiles is enabled
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions
Versions fixed: 2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by: Helen Foster
Issue no.: MDL-37481
CVE identifier: CVE-2013-1830
Workaround: Leave autologinguests and opentogoogle settings disabled (default)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37481
Discuss this topic  (0 replies so far)

MSA-13-0011: Calendar subscription capability issue

by Michael de Raadt -
Description: Users without appropriate capabilities were shown controls to update calendar subscriptions, even though the were not able to modify subscriptions.
Issue summary: Student should not be able to see the subscription which they cant manage
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.1
Versions fixed: 2.4.2 and 2.4.3
Reported by: Ankit Agarwal
Issue no.: MDL-37338
CVE identifier: CVE-2013-1829
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37338
Discuss this topic  (0 replies so far)

MSA-13-0010: Failure to check capabilities in calendar

by Michael de Raadt -
Description: Students were able to delete course level calendar subscriptions created by teachers.
Issue summary:

Student user able to Remove imported calendar from Manage Subscriptions
Severity/Risk: Minor
Versions affected: 2.4
Reported by: David O'Brien
Issue no.: MDL-37106

CVE identifier:

 CVE-2012-6106
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37106
Discuss this topic  (0 replies so far)

MSA-13-0009: Information leak through Blog RSS

by Michael de Raadt -
Description: Blog posts were still accessible via the blog RSS feed, even after blogging was disabled globally.
Issue summary:

Blog posts still available via RSS even after the blogging is disabled
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by: David Mudrak
Issue no.: MDL-37467

CVE identifier:

 CVE-2012-6105
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37467
Discuss this topic  (0 replies so far)

MSA-13-0008: Information leak through Blog RSS

by Michael de Raadt -
Description: Blog posts that were hidden from guest users in the Web interface were being included in the related RSS feed.
Issue summary:

Guest users can access RSS feed for site level blogs
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Charles Fulton
Issue no.: MDL-36620

CVE identifier:

 CVE-2012-6104

Workaround:

 Disable blogging
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36620
Discuss this topic  (0 replies so far)

MSA-13-0007: Potential exploit in messaging

by Michael de Raadt -
Description: The messaging system was not checking the user's session correctly when messages are sent.
Issue summary:

Course message sending can be exploited by CSRF
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Andrew Nicols
Issue no.: MDL-36600

CVE identifier:

 CVE-2012-6103
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36600
Discuss this topic  (0 replies so far)

MSA-13-0006: Potential information leak in Assignment module

by Michael de Raadt -
Description: Through URL manipulation, students were able to view feedback comments provided on other student's submissions.
Issue summary:

Assignment comment permissions are not being validated
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+
Reported by: Dan Poltawski
Issue no.: MDL-37244

CVE identifier:

 CVE-2012-6102
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37244
Discuss this topic  (0 replies so far)

MSA-13-0005: Potential phishing attack through URL redirects

by Michael de Raadt -
Description: Insufficient filtering of return URLs on some pages was allowing redirects to sites outside Moodle.
Issue summary:

Open redirect issues
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Simon Coggins
Issue no.: MDL-35991

CVE identifier:

 CVE-2012-6101
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35991
Discuss this topic  (0 replies so far)

MSA-13-0004: Information leak through activity report

by Michael de Raadt -
Description: Under certain circumstances, when last access is included in a list of fields forced to be hidden, the Activity report would still reveal users' last access.
Issue summary:

Activity Report showing lastaccess even if it is a hidden field
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Jody Steel
Issue no.: MDL-33340

CVE identifier:

 CVE-2012-6100
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33340
Discuss this topic  (0 replies so far)