Security announcements

MSA-13-0007: Potential exploit in messaging

Michael de Raadt -
Description: The messaging system was not checking the user's session correctly when messages are sent.
Issue summary:

Course message sending can be exploited by CSRF
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Andrew Nicols
Issue no.: MDL-36600

CVE identifier:

 CVE-2012-6103
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36600
Обговорення теми  (Поки 0 відповідей)

MSA-13-0006: Potential information leak in Assignment module

Michael de Raadt -
Description: Through URL manipulation, students were able to view feedback comments provided on other student's submissions.
Issue summary:

Assignment comment permissions are not being validated
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+
Reported by: Dan Poltawski
Issue no.: MDL-37244

CVE identifier:

 CVE-2012-6102
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37244
Обговорення теми  (Поки 0 відповідей)

MSA-13-0005: Potential phishing attack through URL redirects

Michael de Raadt -
Description: Insufficient filtering of return URLs on some pages was allowing redirects to sites outside Moodle.
Issue summary:

Open redirect issues
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Simon Coggins
Issue no.: MDL-35991

CVE identifier:

 CVE-2012-6101
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35991
Обговорення теми  (Поки 0 відповідей)

MSA-13-0004: Information leak through activity report

Michael de Raadt -
Description: Under certain circumstances, when last access is included in a list of fields forced to be hidden, the Activity report would still reveal users' last access.
Issue summary:

Activity Report showing lastaccess even if it is a hidden field
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by: Jody Steel
Issue no.: MDL-33340

CVE identifier:

 CVE-2012-6100
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33340
Обговорення теми  (Поки 0 відповідей)

MSA-13-0003: Potential server file access through backup restoration

Michael de Raadt -
Description: Paths in backups to restorable files were not being sufficiently validated and could be manipulated to gain access to files on the server.
Issue summary:

moodle1 backup converter path not properly validated
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by: Dan Poltawski
Issue no.: MDL-36977

CVE identifier:

 CVE-2012-6099
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977
Обговорення теми  (Поки 0 відповідей)

MSA-13-0002: Capability issue with Outcome editing

Michael de Raadt -
Description: Users without the appropriate capability were able to set a custom outcome they had created as a standard site-wide capability when editing that outcome.
Issue summary:

Teachers can set Outcomes to be Standard when re-editing
Severity/Risk: Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ 1.9 to 1.9.19
Reported by: Elena Ivanov
Issue no.: MDL-27619

CVE identifier:

 CVE-2012-6098
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27619
Обговорення теми  (Поки 0 відповідей)

MSA-13-0001: Security issue in Google Spellchecker in TinyMCE

Michael de Raadt -
Description: A security issue was reported by TinyMCE. This fix has been applied to Moodle.
Issue summary:

import tinymce spellchecker 2.0.6.1
Severity/Risk: Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by: Petr Škoda
Issue no.: MDL-37283

CVE identifier:

 CVE-2012-6112

Workaround:

 Disable spellchecker plugin
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283
Обговорення теми  (Поки 0 відповідей)

MSA-12-0063: Information leak in Check Permissions page

Michael de Raadt -
Topic: Check Permissions page displays entire user base without moodle/role:manage capability
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+
Reported by: Jody Steele
Issue no.: MDL-35381

CVE Identifier:

 CVE-2012-5481
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381

Description:

The Check Permissions page was allowing non-admin users to see the capabilities of all users, not just users in a course/category.

Обговорення теми  (Поки 0 відповідей)

MSA-12-0062: Information leak in Database activity module

Michael de Raadt -
Topic: Any user (including a guest) can view entries in database activity when more entries are required before viewing other participants entries
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Tabitha Roder
Issue no.: MDL-35558

CVE Identifier:

 CVE-2012-5480
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558

Description:

The setting requiring that a number of entries be posted to a Database activity before others' entries could be viewed could be circumvented using an advanced search.

Обговорення теми  (Поки 0 відповідей)

MSA-12-0061: Remote code execution through Portfolio API

Michael de Raadt -
Topic: Portfolio plugin: Local File Inclusion (LFI) and the possibility of Remote Command Execution (RCE).
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Cristobal Leiva
Issue no.: MDL-33791

CVE Identifier:

 CVE-2012-5479
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

It was possible, when Moodle data is stored within the Web accessible directory, to manipulate the Portfolio API callbacks to execute a file uploaded by a user.

Обговорення теми  (Поки 0 відповідей)