Security announcements

MSA-12-0046: Insecure protocol redirection in LDAP authentication

by Michael de Raadt -
Topic: redirect() "forgets" https
Severity/Risk: Minor
Versions affected: 2.3, 2.2 to 2.2.3+, 2.1 to 2.1.6+, 2.0 to 2.0.9+
Reported by: Christophe
Issue no.: MDL-23254

CVE Identifier:

 CVE-2012-3394
Changes (2.2): http://git.moodle.org/gw?p=moodle.git;a=commit;h=9d8d2ee6192e8b7ebb6713bd6215e06f94e2a9f7

Description:

Users redirected during a login utilising LDAP were being redirected from https to http protocol.

Discuss this topic  (0 replies so far)

MSA-12-0045: Injection potential in admin for repositories

by Michael de Raadt -
Topic: HTML/JS Injection possible in repository names
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.3+, 2.1 to 2.1.6+
Reported by: Daniel Compton
Issue no.: MDL-33808

CVE Identifier:

 CVE-2012-3393
Changes (2.2): http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_22_STABLE&st=commit&s=MDL-33808

Description:

The administration setting that allowed renaming of repositories was not being filtered.

Discuss this topic  (0 replies so far)

MSA-12-0044: Capability check issue in forum subscriptions

by Michael de Raadt -
Topic: Add some capability checks etc to mod/forum/unsubscribeall.php
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.3+, 2.1 to 2.1.6+
Reported by: Andrew Davis
Issue no.: MDL-31460

CVE Identifier:

 CVE-2012-3392
Changes (2.2): http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_22_STABLE&st=commit&s=MDL-31460

Description:

The capability for students to unsubscribe from forums was not being checked properly.

Discuss this topic  (0 replies so far)

MSA-12-0043: Early information access issue in forum

by Michael de Raadt -
Topic: Forum displays Q&A posts in RSS feeds before users have correct access
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.3+, 2.1 to 2.1.6+
Reported by: Andrew Nicols
Issue no.: MDL-32199
Workaround: Do not provide RSS access to Q&A forums

CVE Identifier:

 CVE-2012-3391
Changes (2.2): http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_22_STABLE&st=commit&s=MDL-32199

Description:

Q&A forum posts should not be visible to students until they have contributed a post, however an RSS feed from such a forum was displaying all posts.

Discuss this topic  (0 replies so far)

MSA-12-0042: File access issue in blocks

by Michael de Raadt -
Topic: Missing permissions check in pluginfile for blocks
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.3+, 2.1 to 2.1.6+
Reported by: Juan Leyva
Issue no.: MDL-32155
Workaround: Do not embed sensitive documents in HTML blocks

CVE Identifier:

 CVE-2012-3390
Changes (2.2): http://git.moodle.org/gw?p=moodle.git;a=commit;h=c58c05ad4f22c6ee1e136a7d4caaddd809a7134d

Description:

Files embedded by a block (eg., the HTML block) were accessible after the block had been hidden.

Discuss this topic  (0 replies so far)

MSA-12-0041: XSS issue in LTI module

by Michael de Raadt -
Topic: XSS vulnerabilities in /mod/lti/typessettings.php (POST parameters: lti_typename, lti_toolurl)
Severity/Risk: Serious
Versions affected: 2.3, 2.2 to 2.2.3+
Reported by: Dan Poltawski
Issue no.: MDL-31692

CVE Identifier:

 CVE-2012-3389
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31692

Description:

Parameters used by the LTI (External tool) module were not being sufficiently cleaned.

Discuss this topic  (0 replies so far)

MSA-12-0040: Capabilities issue through caching

by Michael de Raadt -
Topic: lib/accesslib.php is_enrolled doesn't check capabilities for cached users
Severity/Risk: Minor
Versions affected: 2.3, 2.2 to 2.2.3+
Reported by: Andrew Nicols
Issue no.: MDL-33916

CVE Identifier:

 CVE-2012-3388
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33916

Description:

Capability checks were not working properly after a user record had been cached.

Discuss this topic  (0 replies so far)

MSA-12-0039: File upload validation issue

by Michael de Raadt -
Topic: file_save_draft_area_files() does not validate references are allowed
Severity/Risk: Minor
Versions affected: 2.3
Reported by: Petr Škoda
Issue no.: MDL-33948

CVE Identifier:

 CVE-2012-3387
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33948

Description:

Where file shortcuts/aliases were not permitted, this was being validated at the client, but not on the server.

Discuss this topic  (0 replies so far)

MSA-12-0038: Calendar event write permission issue

by Michael de Raadt -
Topic: Calendar New Entry still shows and works for roles preventing calendar entry
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, 1.9 to 1.9.17+
Reported by: Martin Huntley
Issue no.: MDL-18335

CVE Identifier:

 CVE-2012-2367
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-18335

Description:

Users without appropriate permissions were able to access the new calendar entry page and create a calendar entry.

Discuss this topic  (0 replies so far)

MSA-12-0037: Write access issue in Database activity module

by Michael de Raadt -
Topic: It's possible for any user to overwrite site wide database presets
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by: Dan Poltawski
Issue no.: MDL-31763

CVE Identifier:

 CVE-2012-2366
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31763

Description:

Users were able to overwrite site-wide Database activity presets created by other users.

Discuss this topic  (0 replies so far)