Security announcements

MSA-12-0016: Default repository capabilities issue

by Michael de Raadt -
Topic: authenticated user "view" capability set to "allow" for all repos
Severity: Minor
Versions affected: 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by: Andrea Bicciolo

Workaround:

Manually change capability for repositories
Issue no.: MDL-30452

CVE Identifier:

CVE-2012-1157
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=246c2cb8e5af71a7d7c605b8fc9f9563e0fb3bc4

Description:

Not all repositories are intended for student use, however all repositories were viewable by all users by default. This change will affect new installations only. Existing site admins should review their repository capabilities.

Discuss this topic  (0 replies so far)

MSA-12-0015: Backup and private files issue

by Michael de Raadt -
Topic: Backup with user files includes users' private files
Severity: Minor
Versions affected: 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by: Ralf Hilgenstock

Workaround:

Disable private files
Issue no.: MDL-29248

CVE Identifier:

CVE-2012-1156
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29248

Description:

Course backups were including users' private files unnecessarily.

Discuss this topic  (0 replies so far)

MSA-12-0014: Password and Web services issue

by Michael de Raadt -
Topic: core_user_update_users user password is reset if not specified
Severity: Minor
Versions affected: 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by: Fábio Souto

Workaround:

Turn off web services
Issue no.: MDL-30878

CVE Identifier:

CVE-2012-1168
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30878

Description:

A Web service function for updating user profiles was resetting user passwords when they were not supplied with update information.

Discuss this topic  (0 replies so far)

MSA-12-0013: Database activity export permission issue

by Michael de Raadt -
Topic: database activity module entries exporting does not respect separate groups
Severity: Minor
Versions affected: 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+, 1.9 to 1.9.16+
Reported by: Frédéric Hoogstoel

Workaround:

Disable database content export for students
Issue no.: MDL-25185

CVE Identifier:

CVE-2012-1155
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-25185

Description:

The export function of the database activity module was exporting all entries, including those from groups the user is a not member of.

Discuss this topic  (0 replies so far)

MSA-12-0012: Form validation issue

by Michael de Raadt -
Topic: Moodle form element types are not applied to some 'repeated' elements
Severity: Minor
Versions affected: 2.2, 2.1 to 2.1.3+ (earlier versions unaffected)
Reported by: Ruslan Kabalin
Issue no.: MDL-30560
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48

Description:

Some repeated form elements were not being validated properly.

Discuss this topic  (0 replies so far)

MSA-12-0011: Browser autofill password issue

by Michael de Raadt -
Topic: iPad Autofill Functionality reveals users password on Moodle create groups page
Severity: Serious
Versions affected: 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+ (1.9 not affected)
Reported by: Mike Wilson
Issue no.: MDL-29917
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29917

Description:

Safari was revealing the user's saved password in a non-password field.

Discuss this topic  (0 replies so far)

MSA-12-0010: Unauthorised access to session key

by Michael de Raadt -
Topic: Anonymous frontpage forums call generates sesskey value
Severity: Minor
Versions affected: 2.1 to 2.1.3+, 2.0 to 2.0.6+ (2.2, 1.9 not affected)
Reported by: Stephen Overall
Workaround: Do not use an anonymous forum on the front page
Issue no.: MDL-27334
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334

Description:

It was possible to access a page that would generate sesskey values for an unauthenticated user.

Discuss this topic  (0 replies so far)

MSA-12-0009: Role access issue

by Michael de Raadt -
Topic: Teacher can assign role in self-enrolment for his course as manager even if assign role is disabled
Severity: Minor
Versions affected: 2.2, 2.1 to 2.1.3+ (earlier versions unaffected)
Reported by: Ibrahim Awad
Workaround: Disable self-enrolment
Issue no.: MDL-29469
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469

Description:

Under specific circumstances, teachers were able to self-enrol themselves at a higher level.

Discuss this topic  (0 replies so far)

MSA-12-0008: Unsynchronised access via tokens

by Michael de Raadt -
Topic: WS tokens & user->deleted status are out of sync
Severity: Minor
Versions affected: 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+ (1.9 not affected)
Reported by: Eloy Lafuente
Issue no.: MDL-28126
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126

Description:

A user deleted on the server was able to access a site while they continued to use a token.

Discuss this topic  (0 replies so far)

MSA-12-0007: Email injection prevention

by Michael de Raadt -
Topic: Header injection in PHPMailer library
Severity: Serious
Versions affected: 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+
Reported by: Simon Coggins
Issue no.: MDL-30575
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9

Description:

It was possible to inject additional information into email headers, such as additional addresses.

Discuss this topic  (0 replies so far)