Security announcements

MSA-15-0016: Web services token can be created for user with temporary password

by Marina Glancy -
Description: Even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services.
Issue summary: login/token.php does not check if auth_forcepasswordchange is on for the user
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Juan Leyva
Issue no.: MDL-48691
CVE identifier: CVE-2015-2272
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691
Discuss this topic  (0 replies so far)

MSA-15-0015: User without proper permission is able to mark the tag as inappropriate

by Marina Glancy -
Description: Very minor case of not respecting capability, it does not affect majority of sites since this capability is given to authenticated users by default
Issue summary: Capability moodle/tag:flag not observed
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Frédéric Massart
Issue no.: MDL-49084
CVE identifier: CVE-2015-2271
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49084
Discuss this topic  (0 replies so far)

MSA-15-0014: Potential information disclosure for the inaccessible courses

by Marina Glancy -
Description: For the custom themes that use blocks regions in the base layout the blocks for inaccessible courses could be displayed together with sensible course-related information. Majority of the themes, including all standard Moodle themes, are not affected.
Issue summary: Guest user can see course information they should not be able to via require_login
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Sam Hemelryk
Issue no.: MDL-48804
CVE identifier: CVE-2015-2270
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48804
Discuss this topic  (0 replies so far)

MSA-15-0013: Block title not properly escaped and may cause HTML injection

by Marina Glancy -
Description: It is possible to create HTML injection through blocks with configurable titles, however this could only be exploited by users who are already marked as XSS-trusted
Issue summary: Block title not properly escaped and may cause HTML injection
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Gjoko Krstic
Issue no.: MDL-49144
CVE identifier: CVE-2015-2269
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49144
Discuss this topic  (0 replies so far)

MSA-15-0012: ReDoS Possible with Convert links to URLs filter

by Marina Glancy -
Description: Not optimal regular expression in the filter could be exploited to create extra server load or make particular page unavailable
Issue summary: ReDoS Possible with Convert links to URLs filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Rob
Issue no.: MDL-38466
Workaround: Disable links to URLs filter
CVE identifier: CVE-2015-2268
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38466
Discuss this topic  (0 replies so far)

MSA-15-0011: Authentication in mdeploy can be bypassed

by Marina Glancy -
Description: Theoretically possible to extract files anywhere on the system where the web server has write access. Although it is quite difficult to exploit since attacking user must know details about the system and already have significant permissions on the site.
Issue summary: Authentication in mdeploy can be bypassed
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Frédéric Massart
Issue no.: MDL-49087
Workaround: Delete the file mdeploy.php or prevent access to it in the web server config
CVE identifier: CVE-2015-2267
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087
Discuss this topic  (0 replies so far)

MSA-15-0010: Personal contacts and number of unread messages can be revealed

by Marina Glancy -
Description: By modifying URL a logged in user can view the list of another user's contacts, number of unread messages and list of their courses.
Issue summary: Personal contacts and number of unread messages can be revealed
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Barry Oosthuizen
Issue no.: MDL-49204
Workaround: Disable messaging on site
CVE identifier: CVE-2015-2266
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49204
Discuss this topic  (0 replies so far)

MSA-15-0009: Directory Traversal Attack possible through some files serving JS

by Marina Glancy -
Description: Parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS are affected but especially vulnerable are Windows servers
Issue summary: Preauthenticated Local File Disclosure
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.2, 2.7 to 2.7.4, 2.6 to 2.6.7 and earlier unsupported versions.
The earlies affected version is 2.3 on Windows servers and 2.5 on servers with other OS. It is highly recommended to apply patch manually if you are running unsupported version or otherwise unable to upgrade.
Versions fixed: 2.8.3, 2.7.5 and 2.6.8
Reported by: Emiel Florijn
Issue no.: MDL-48980 and MDL-48990
Workaround: Prevent access to URLs containing "../" or "..\" in web server configuration
CVE identifier: CVE-2015-1493 (also aliased as CVE-2015-0246)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980
Discuss this topic  (0 replies so far)

MSA-15-0008: Forced logout through Shibboleth authentication plugin

by Marina Glancy -
Description: It was possible to forge a request to logout users even when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver configuration
CVE identifier: CVE-2015-0218
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964
Discuss this topic  (0 replies so far)

MSA-15-0007: ReDoS possible in the multimedia filter

by Marina Glancy -
Description: Not optimal regular expression in the filter could be exploited to create extra server load or make particular page unavailable
Issue summary: ReDOS in the multimedia filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Nicolas Martignoni
Issue no.: MDL-48546
Workaround: Disable multimedia filter
CVE identifier: CVE-2015-0217
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546
Discuss this topic  (0 replies so far)