Security announcements

MSA-11-0040: Potential personal information leak

by Michael de Raadt -
Topic: mod/forum/user.php exploses user details
Severity: Minor
Versions affected: < 2.1.2, < 2.0.5, < 1.9.14
Reported by: Rossiani Wijaya
Issue no.: MDL-28615
Solution: upgrade to latest version
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&s=MDL-28615

Description:

Users' names should only be displayed to other students in the same course or to administrators.

Note: this issue was resolved for Moodle 2.x. A fix for Moodle 1.9.x will be created separately.

(Updated by Michael de Raadt, original publication date: Tuesday, 18 October 2011, 12:23 PM)

Discuss this topic  (0 replies so far)

MSA-11-0039: Wiki section vulnerability

by Michael de Raadt -
Topic: XSS through 'section' parameter
Severity: Serious
Versions affected: < 2.1.2, < 2.0.5 (1.9.x not affected)
Reported by: Petr Škoda
Issue no.: MDL-28725
Solution: upgrade to latest version
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=41017112cff7f5bd7969c72d321320f3090e7c68

Description:

Cross site scripting was possible through the 'section' parameter.

Discuss this topic  (0 replies so far)

MSA-11-0038: Database injection protection strengthened

by Michael de Raadt -
Topic: Magic quotes hardening of 1.9
Severity: Serious
Versions affected: < 1.9.14 (2.x not affected)
Reported by: Petr Škoda
Issue no.: MDL-29033
Solution: upgrade to 1.9.14
Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=bf0ddcb332998e14b2deeb2fff1e7e6849ce65d6

Description:

Filtering has been added to various DB functions to avoid unanticipated injection threats.

Discuss this topic  (0 replies so far)

MSA-11-0037: Course section editing injection vulnerability

by Michael de Raadt -
Topic: Potential XSS: editsection.html print values directly from data_submitted()
Severity: Minor
Versions affected: < 1.9.14 (2.x not affected)
Reported by: Aaron Barnes
Issue no.: MDL-28722
Solution: upgrade to 1.9.14
Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commit;h=4a2acd8c7e6c869d5fd5aa686e6e0a3f20c97f15

Description:

Course section editing form data was being used without being filtered, which could be exploited by an injection attack.

Discuss this topic  (0 replies so far)

MSA-11-0036: Messaging refresh vulnerability

by Michael de Raadt -
Topic: Message refreshing system may cause unlimited queries and DDos attack
Severity: Serious
Versions affected: < 1.9.14 (2.x not affected)
Reported by: Xavier Paz
Issue no.: MDL-29311
Solution: upgrade to 1.9.14
Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commit;h=97f258fabb3ebfa7acc7c02cb59de92b01710f99

Description:

Users could change the wait parameter from message/refresh.php to zero to cause a denial of service attack.

Discuss this topic  (0 replies so far)

MSA-11-0035: Cookie-less session vulnerability

by Michael de Raadt -
Topic: prevent $CFG->usesid because hackers try to exploit it
Severity: Minor
Versions affected: < 2.1.2, < 2.0.5 (1.9.x could also be vulnerable if misconfigured)
Reported by: Petr Škoda
Issue no.: MDL-29312
Solution: upgrade to latest version
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=e1e082a809b9a2d3a408cb4d6faa34fdfcf3165c
Workaround: Don't use cookie-less sessions

Description:

The $CFG->usesid was added previously to allow simpler access, but this setting is now ignored to remove a potential vulnerability.

Discuss this topic  (0 replies so far)

MSA-11-0034: Chat module information leak

by Michael de Raadt -
Topic: Chat disclosed full names of all system users including deleted users
Severity: Serious
Versions affected: < 2.1.2, < 2.0.5 (1.9.x not affected)
Reported by: Petr Škoda
Issue no.: MDL-27219
Solution: upgrade to latest version
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=d0157d827bc254ba386a5e5b41b13be2698ee76e
Workaround: Do not use Chat

Description:

Chat users could probe users' names by 'beep'ing their user ID.

Discuss this topic  (0 replies so far)

MSA-11-0033: Site-hub registration identity issue

by Michael de Raadt -
Topic: Column registration_hubs.secret gets different default value for upgrade versus install
Severity: Serious
Versions affected: < 2.1.2, < 2.0.5 (1.9.x not affected)
Reported by: Colin Campbell
Issue no.: MDL-27635
Solution: upgrade to latest version
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=ca896fdfcfcc87846fa91a297d0aa6999a68c48a
Workaround: Do not use community hubs

Description:

On installation a sites secret value for hubs was not being set.

Discuss this topic  (0 replies so far)

MSA-11-0032: MNET SSL validation issue

by Michael de Raadt -
Topic: Incorrect handling of openssl_verify() return code
Severity: Serious
Versions affected: < 2.1.2, < 2.0.5, < 1.9.14
Reported by: David Mudrak
Issue no.: MDL-29148
Solution: upgrade to latest version
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=54941685e3e86ec085641dcb7ebb1f96f06735b2
Workaround: Disable MNET

Description:

Moodle was not handling these SSL return codes correctly and was vulnerable to remote attacks bypassing validation.

Discuss this topic  (0 replies so far)

MSA-11-0031: Forms API constant issue

by Michael de Raadt -
Topic: $mform->setConstant() does not work as expected
Severity: Serious
Versions affected: < 2.1.2, < 2.0.5, < 1.9.14
Reported by: David Mudrak
Issue no.: MDL-23872
Solution: upgrade to latest version
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8

Description:

Form values that are set as constants were able to be altered by users when the form was submitted

Discuss this topic  (0 replies so far)