Security announcements

MSA-13-0005: Potential phishing attack through URL redirects

by Michael de Raadt -
Description: Insufficient filtering of return URLs on some pages was allowing redirects to sites outside Moodle.
Issue summary:

Open redirect issues
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Simon Coggins
Issue no.: MDL-35991

CVE identifier:

 CVE-2012-6101
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35991
Discuss this topic  (0 replies so far)

MSA-13-0004: Information leak through activity report

by Michael de Raadt -
Description: Under certain circumstances, when last access is included in a list of fields forced to be hidden, the Activity report would still reveal users' last access.
Issue summary:

Activity Report showing lastaccess even if it is a hidden field
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Jody Steel
Issue no.: MDL-33340

CVE identifier:

 CVE-2012-6100
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33340
Discuss this topic  (0 replies so far)

MSA-13-0003: Potential server file access through backup restoration

by Michael de Raadt -
Description: Paths in backups to restorable files were not being sufficiently validated and could be manipulated to gain access to files on the server.
Issue summary:

moodle1 backup converter path not properly validated
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by: Dan Poltawski
Issue no.: MDL-36977

CVE identifier:

 CVE-2012-6099
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977
Discuss this topic  (0 replies so far)

MSA-13-0002: Capability issue with Outcome editing

by Michael de Raadt -
Description: Users without the appropriate capability were able to set a custom outcome they had created as a standard site-wide capability when editing that outcome.
Issue summary:

Teachers can set Outcomes to be Standard when re-editing
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ 1.9 to 1.9.19
Reported by: Elena Ivanov
Issue no.: MDL-27619

CVE identifier:

 CVE-2012-6098
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27619
Discuss this topic  (0 replies so far)

MSA-13-0001: Security issue in Google Spellchecker in TinyMCE

by Michael de Raadt -
Description: A security issue was reported by TinyMCE. This fix has been applied to Moodle.
Issue summary:

import tinymce spellchecker 2.0.6.1
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by: Petr Škoda
Issue no.: MDL-37283

CVE identifier:

 CVE-2012-6112

Workaround:

 Disable spellchecker plugin
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283
Discuss this topic  (0 replies so far)

MSA-12-0063: Information leak in Check Permissions page

by Michael de Raadt -
Topic: Check Permissions page displays entire user base without moodle/role:manage capability
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+
Reported by: Jody Steele
Issue no.: MDL-35381

CVE Identifier:

 CVE-2012-5481
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381

Description:

The Check Permissions page was allowing non-admin users to see the capabilities of all users, not just users in a course/category.

Discuss this topic  (0 replies so far)

MSA-12-0062: Information leak in Database activity module

by Michael de Raadt -
Topic: Any user (including a guest) can view entries in database activity when more entries are required before viewing other participants entries
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Tabitha Roder
Issue no.: MDL-35558

CVE Identifier:

 CVE-2012-5480
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558

Description:

The setting requiring that a number of entries be posted to a Database activity before others' entries could be viewed could be circumvented using an advanced search.

Discuss this topic  (0 replies so far)

MSA-12-0061: Remote code execution through Portfolio API

by Michael de Raadt -
Topic: Portfolio plugin: Local File Inclusion (LFI) and the possibility of Remote Command Execution (RCE).
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Cristobal Leiva
Issue no.: MDL-33791

CVE Identifier:

 CVE-2012-5479
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

It was possible, when Moodle data is stored within the Web accessible directory, to manipulate the Portfolio API callbacks to execute a file uploaded by a user.

Discuss this topic  (0 replies so far)

MSA-12-0060: Cross-site scripting vulnerability in YUI2

by Michael de Raadt -
Topic: yui2 swf vulnerability
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ 1.9 to 1.9.18+
Reported by: Petr Škoda, Jenny Donnelly
Issue no.: MDL-36346

CVE Identifier:

 CVE-2012-5475

Workaround:

Delete YUI SWF files
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files.

Discuss this topic  (0 replies so far)

MSA-12-0059: Information leak in Database activity module

by Michael de Raadt -
Topic: Members of seperate groups can see Database activity entries for other groups
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Richard Meyer
Issue no.: MDL-34448

CVE Identifier:

 CVE-2012-5473
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448

Description:

Within the Database activity module, when separate groups were used, members of one group were able to see entries created by members of another group by completing an advanced search.

Discuss this topic  (0 replies so far)