Security announcements

MSA-13-0003: Potential server file access through backup restoration

by Michael de Raadt -
Description: Paths in backups to restorable files were not being sufficiently validated and could be manipulated to gain access to files on the server.
Issue summary:

moodle1 backup converter path not properly validated
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by: Dan Poltawski
Issue no.: MDL-36977

CVE identifier:

 CVE-2012-6099
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977
Discuss this topic  (0 replies so far)

MSA-13-0002: Capability issue with Outcome editing

by Michael de Raadt -
Description: Users without the appropriate capability were able to set a custom outcome they had created as a standard site-wide capability when editing that outcome.
Issue summary:

Teachers can set Outcomes to be Standard when re-editing
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ 1.9 to 1.9.19
Reported by: Elena Ivanov
Issue no.: MDL-27619

CVE identifier:

 CVE-2012-6098
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27619
Discuss this topic  (0 replies so far)

MSA-13-0001: Security issue in Google Spellchecker in TinyMCE

by Michael de Raadt -
Description: A security issue was reported by TinyMCE. This fix has been applied to Moodle.
Issue summary:

import tinymce spellchecker 2.0.6.1
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by: Petr Škoda
Issue no.: MDL-37283

CVE identifier:

 CVE-2012-6112

Workaround:

 Disable spellchecker plugin
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283
Discuss this topic  (0 replies so far)

MSA-12-0063: Information leak in Check Permissions page

by Michael de Raadt -
Topic: Check Permissions page displays entire user base without moodle/role:manage capability
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+
Reported by: Jody Steele
Issue no.: MDL-35381

CVE Identifier:

 CVE-2012-5481
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381

Description:

The Check Permissions page was allowing non-admin users to see the capabilities of all users, not just users in a course/category.

Discuss this topic  (0 replies so far)

MSA-12-0062: Information leak in Database activity module

by Michael de Raadt -
Topic: Any user (including a guest) can view entries in database activity when more entries are required before viewing other participants entries
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Tabitha Roder
Issue no.: MDL-35558

CVE Identifier:

 CVE-2012-5480
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558

Description:

The setting requiring that a number of entries be posted to a Database activity before others' entries could be viewed could be circumvented using an advanced search.

Discuss this topic  (0 replies so far)

MSA-12-0061: Remote code execution through Portfolio API

by Michael de Raadt -
Topic: Portfolio plugin: Local File Inclusion (LFI) and the possibility of Remote Command Execution (RCE).
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Cristobal Leiva
Issue no.: MDL-33791

CVE Identifier:

 CVE-2012-5479
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

It was possible, when Moodle data is stored within the Web accessible directory, to manipulate the Portfolio API callbacks to execute a file uploaded by a user.

Discuss this topic  (0 replies so far)

MSA-12-0060: Cross-site scripting vulnerability in YUI2

by Michael de Raadt -
Topic: yui2 swf vulnerability
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ 1.9 to 1.9.18+
Reported by: Petr Škoda, Jenny Donnelly
Issue no.: MDL-36346

CVE Identifier:

 CVE-2012-5475

Workaround:

Delete YUI SWF files
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files.

Discuss this topic  (0 replies so far)

MSA-12-0059: Information leak in Database activity module

by Michael de Raadt -
Topic: Members of seperate groups can see Database activity entries for other groups
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Richard Meyer
Issue no.: MDL-34448

CVE Identifier:

 CVE-2012-5473
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448

Description:

Within the Database activity module, when separate groups were used, members of one group were able to see entries created by members of another group by completing an advanced search.

Discuss this topic  (0 replies so far)

MSA-12-0058: Possible form data manipulation issue

by Michael de Raadt -
Topic: add setConstant() for hardfreeze element
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+
Reported by: Rossiani Wijaya
Issue no.: MDL-32785

CVE Identifier:

 CVE-2012-5472
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785

Description:

Frozen form elements were open to manipulation when form data was submitted.

Discuss this topic  (0 replies so far)

MSA-12-0057: Access issue through repository

by Michael de Raadt -
Topic: User B is able to see and use Dropbox of User A within Dropbox Repository File Picker
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Alexander Bias
Issue no.: MDL-29872, MDL-36366

CVE Identifier:

 CVE-2012-5471

Workaround:

Turn off Dropbox repository
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872

Description:

Users who logged out of Dropbox through the Moodle repository were disconnected in Moodle, but the user's access to Dropbox was still allowed while their browser session continued.

Discuss this topic  (0 replies so far)