Security announcements | Moodle.org

MSA-14-0045: XSS file upload possible through web service

by Marina Glancy - dilluns, 17 de novembre 2014, 12:25 PM

Description:	If web service with file upload function was available, user could upload XSS file to his profile picture area.
Issue summary:	XSS through WS user file upload
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2 and 2.6 to 2.6.5
Versions fixed:	2.8, 2.7.3 and 2.6.6
Reported by:	Petr Skoda
Issue no.:	MDL-47868
Workaround:	Do not enable "Can upload files" in web services especially to untrusted users
CVE identifier:	CVE-2014-7835
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0044: Hardware path disclosed in the error message

by Marina Glancy - dilluns, 17 de novembre 2014, 12:24 PM

Description:	By directly accessing an internal file, an unauthenticated user can be shown an error message containing the file system path of the Moodle install.
Issue summary:	PHPunit: lib/phpunit/bootstrap.php leaks system info
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5
Versions fixed:	2.8, 2.7.3 and 2.6.6
Reported by:	Sam Marshall
Issue no.:	MDL-47287
Workaround:	Prevent web access to this file in web server directives
CVE identifier:	CVE-2014-7848
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0043: Lack of group check in web service for Forum

by Marina Glancy - dilluns, 17 de novembre 2014, 12:23 PM

Description:	When using the web service function for Forum discussions, group permissions were not checked.
Issue summary:	forum_get_discussions web service misses group permissions check
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5
Versions fixed:	2.8, 2.7.3 and 2.6.6
Reported by:	Petr Skoda
Issue no.:	MDL-45303
Workaround:	Do not enable web service function mod_forum_get_discussions
CVE identifier:	CVE-2014-7834
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0042: Lack of access check in IP lookup functionality

by Marina Glancy - dilluns, 17 de novembre 2014, 12:22 PM

Description:	The script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties.
Issue summary:	iplookup is available to unauthenticated guests
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Dan Poltawski
Issue no.:	MDL-47321
CVE identifier:	CVE-2014-7847
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0041: Lack of capability check in tags list access

by Marina Glancy - dilluns, 17 de novembre 2014, 12:21 PM

Description:	Unprivileged users could access the list of available tags in the system.
Issue summary:	Tag autocomplete AJAX page lacks capability check
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Frédéric Massart
Issue no.:	MDL-47965
CVE identifier:	CVE-2014-7846
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0040: Information leak in Database activity module

by Marina Glancy - dilluns, 17 de novembre 2014, 12:10 PM

Description:	Group-level entries in Database activity module became visible to users in other groups after being edited by a teacher.
Issue summary:	Group ID of Database record overwritten by 0
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Pamela Verret
Issue no.:	MDL-47697
CVE identifier:	CVE-2014-7833
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0039: Insufficient access check in LTI module

by Marina Glancy - dilluns, 17 de novembre 2014, 12:09 PM

Description:	Capability checks in the LTI module only checked access to the course and not to the activity.
Issue summary:	mod/lti/launch.php lacks access control
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47921
CVE identifier:	CVE-2014-7832
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0038: Hidden grade information exposed by web services

by Marina Glancy - dilluns, 17 de novembre 2014, 12:08 PM

Description:	User without capability to view hidden grades could retrieve grades using web services.
Issue summary:	get_grades webservice exposes hidden grades to students
Severity/Risk:	Serious
Versions affected:	2.7 and 2.7.2
Versions fixed:	2.8, 2.7.3
Reported by:	Damyon Wiese
Issue no.:	MDL-47766
Workaround:	Do not enable core_grades_get_grades in web services
CVE identifier:	CVE-2014-7831
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0037: Weak temporary password generation

by Marina Glancy - dilluns, 17 de novembre 2014, 12:07 PM

Description:	The word list for temporary password generation was short meaning the pool of possible passwords was not big enough.
Issue summary:	generate_password() is insecure and in use
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Aaron Barnes
Issue no.:	MDL-47050
Workaround:	Enable password policy
CVE identifier:	CVE-2014-7845
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050

Permalink

Discuss this topic  (0 replies so far)

MSA-14-0036: XSS in mapcourse script in Feedback module

by Marina Glancy - dilluns, 17 de novembre 2014, 10:37 AM

Description:	Last search string in Feedback module was not escaped in the search input field.
Issue summary:	XSS through $searchcourse in mod/feedback/mapcourse.php
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47865
Workaround:	Disable feedback module or remove mod/feedback:mapcourse capability from users
CVE identifier:	CVE-2014-7830
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865

Permalink

Discuss this topic  (0 replies so far)