Security announcements

MSA-12-0060: Cross-site scripting vulnerability in YUI2

by Michael de Raadt -
Topic: yui2 swf vulnerability
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ 1.9 to 1.9.18+
Reported by: Petr Škoda, Jenny Donnelly
Issue no.: MDL-36346

CVE Identifier:

 CVE-2012-5475

Workaround:

Delete YUI SWF files
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files.

Discuss this topic  (0 replies so far)

MSA-12-0059: Information leak in Database activity module

by Michael de Raadt -
Topic: Members of seperate groups can see Database activity entries for other groups
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Richard Meyer
Issue no.: MDL-34448

CVE Identifier:

 CVE-2012-5473
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448

Description:

Within the Database activity module, when separate groups were used, members of one group were able to see entries created by members of another group by completing an advanced search.

Discuss this topic  (0 replies so far)

MSA-12-0058: Possible form data manipulation issue

by Michael de Raadt -
Topic: add setConstant() for hardfreeze element
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+
Reported by: Rossiani Wijaya
Issue no.: MDL-32785

CVE Identifier:

 CVE-2012-5472
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785

Description:

Frozen form elements were open to manipulation when form data was submitted.

Discuss this topic  (0 replies so far)

MSA-12-0057: Access issue through repository

by Michael de Raadt -
Topic: User B is able to see and use Dropbox of User A within Dropbox Repository File Picker
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by: Alexander Bias
Issue no.: MDL-29872, MDL-36366

CVE Identifier:

 CVE-2012-5471

Workaround:

Turn off Dropbox repository
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872

Description:

Users who logged out of Dropbox through the Moodle repository were disconnected in Moodle, but the user's access to Dropbox was still allowed while their browser session continued.

Discuss this topic  (0 replies so far)

MSA-12-0056: Information leak in drag-and-drop

by Michael de Raadt -
Topic: Information disclosure in yui_combo.php
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.1+
Reported by: Mark Baseggio
Issue no.: MDL-35168

CVE Identifier:

 CVE-2012-4403
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35168

Description:

The drag-and-drop script was responding to bad requests with information that included the full path to scripts on the server.

Discuss this topic  (0 replies so far)

MSA-12-0055: Web service access token issue

by Michael de Raadt -
Topic: A web service token allows the user to run functions from any external service, not just those linked to the external service the token is for
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+
Reported by: Nathan Mares
Issue no.: MDL-34368

CVE Identifier:

 CVE-2012-4402
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34368

Description:

Users with permission to access multiple services were able to use a token from one service to access another.

Discuss this topic  (0 replies so far)

MSA-12-0054: Course reset permission issue

by Michael de Raadt -
Topic: Course reset not protected by proper capability
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+
Reported by: Rex Lorenzo
Issue no.: MDL-34519

CVE Identifier:

 CVE-2012-4408
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34519

Description:

The course reset link was protected by a correct permission but the reset page itself was being checked for a different permission.

Discuss this topic  (0 replies so far)

MSA-12-0053: Blog file access issue

by Michael de Raadt -
Topic: 'publishstate' === 'public'
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+
Reported by: Kyle Decot
Issue no.: MDL-34585

CVE Identifier:

 CVE-2012-4407
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34585

Description:

Files embedded as part of a blog were being delivered without checking the publication state properly.

Discuss this topic  (0 replies so far)

MSA-12-0052: Course topics permission issue

by Michael de Raadt -
Topic: Permissions problems in topic course format
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+
Reported by: Alexander Bias
Issue no.: MDL-28207

CVE Identifier:

 2012-4401
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28207

Description:

Users with course editing capabilities, but without permission to show/hide topics and set the current topic were able to complete these actions under certain conditions.

Discuss this topic  (0 replies so far)

MSA-12-0051: File upload size constraint issue

by Michael de Raadt -
Topic: /repository/repository_ajax.php allows you to supply -1 for "maxbytes" and side step moodle file size restrictions
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+
Reported by: Andrew Davis
Issue no.: MDL-30792

CVE Identifier:

 CVE-2012-4400
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30792

Description:

It was possible for a user to manipulate script parameters to upload a file larger than set limits.

Discuss this topic  (0 replies so far)