Security announcements

MSA-09-0029: Multiple password related issues

by Helen Foster -
Topic: Multiple password related issues
Severity/Risk: Critical
Versions affected: <1.8.11 and <1.9.7
Reported by: exploit of weak passwords published anonymously on moodle.org and multiple other reports
Issue no.: MDL-18807, MDL-18006, MDL-19608, MDL-20934
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: set up password salt in config.php, enforce strong password policy, force password change on important accounts, verify LDAP configuration if used


Description:
Administrators are now forced to change their password after upgrading. The installer now puts a random password salt into config.php, existing sites notify administrators to configure the salt via security overview reports. Strong password policy is now enabled by default. Only internal authentication plugins now store password hashes in user table, cached hashes are removed for all external plugins (though the LDAP plugin already had the option to prevent passwords in user table). Bulk user actions now contain an option to force password change.

Discuss this topic  (0 replies so far)

MSA-09-0028: Multiple backup/restore related issues

by Helen Foster -
Topic: Multiple backup/restore related issues
Severity/Risk: Critical
Versions affected: <1.8.11 and <1.9.7
Reported by: multiple reports
Issue no.: MDL-20838, MDL-20849, MDL-20939, MDL-20932
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: remove backup capability from all users


Description:
User password hashes and secrets are now never included in backup files. There are also new capabilities that control backup/restore of all user information (separately from the course data), and these are off by default. The admin has much better control over who has these capabilities, and the security overview report now gives a comprehensive picture of dangerous roles, overrides, users etc. Even if this capability is enabled, only enrolled users can be included in backup files.

Discuss this topic  (0 replies so far)

MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins

by Helen Foster -
Topic: Login information can be sent unsecured when site is configured to use SSL for logins
Severity/Risk: Minor
Versions affected: <1.8.11 and <1.9.7
Reported by: Mike Churchward
Issue no.: MDL-20958
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: apply patch
http://cvs.moodle.org/moodle/login/index_form.html?r1=1.50.2.1&r2=1.50.2.2


Description:
Mike Churchward described a potential problem and proposed a solution that prevents sending of password via unsecured connection when SSL required only for logins.

Discuss this topic  (0 replies so far)

MSA-09-0026: Invalid application access control in MNET interface

by Helen Foster -
Topic: Invalid application access control in MNET interface
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: Adrian Schlegel
Issue no.: MDL-20639
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: apply patch
http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.16.2.10&r2=1.16.2.11
http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.9.2.7&r2=1.9.2.8


Description:
Adrian Schlegel reported a serious problem in the MNET implementation allowing execution of any MNET function from all registered remote servers. The server is vulnerable only when MNET services are enabled on the server.

Discuss this topic  (0 replies so far)

MSA-09-0025: Unneeded MD5 hashes removed from user table

by Helen Foster -
Topic: Unneeded MD5 hashes removed from user table
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20934
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: none


Description:
All authentication plugins except LDAP were storing md5 hashes of passwords in the user table, but these "cached" hashes were only actually used in some authentication plugins. We have now replaced md5 hashes with 'not cached' flag in all external authentication types. Please note this change may break backwards compatibility and some 3rd party modifications. If you have any custom code using this field in the table it will need to be rewritten.

Discuss this topic  (0 replies so far)

MSA-09-0024: Insufficient access control in glossary

by Helen Foster -
Topic: Insufficient access control in glossary
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20928
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: use new mod/glossary/showentry.php


Description:
We have discovered that insufficient access control may allow unauthorised users to view glossary entries.

Discuss this topic  (0 replies so far)

MSA-09-0023: User account disclosure in LAMS module

by Helen Foster -
Topic: User account disclosure in LAMS module
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20924
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: uninstall module and delete mod/lams directory


Description:
LAMS module code discloses username, firstname and lastname database fields from user table. This information could be used in other types of attacks.

Discuss this topic  (0 replies so far)

MSA-09-0022: Multiple CSRF problems fixed

by Helen Foster -
Topic: Multiple CSRF problems fixed
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20705, MDL-20707, MDL-20706, MDL-20925, MDL-20929, MDL-20930, MDL-20931, MDL-20901
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: none


Description:
We have discovered and fixed multiple cross site request forgery (CSRF) problems during internal code review.

Discuss this topic  (0 replies so far)

MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability

by Petr Skoda -
Topic: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability
Severity/Risk: Critical (only servers using Oracle and MS SQL databases)
Versions affected: <1.9.6
Reported by: Sam Moffatt
Issue no.: MDL-19452
Solution: upgrade to latest weekly build or 1.9.6
Workaround: none


Description:
Sam Moffatt discovered a potential problem in the way ADODB library is quoting special characters when the database engine is using Sybase style quoting.

Discuss this topic  (0 replies so far)

MSA-09-0020: Teachers can view students' grades in all courses in the overview report

by Petr Skoda -
Topic: Teachers can view students' grades in all courses in the overview report
Severity/Risk: Minor
Versions affected: <1.9.6
Reported by: Ratana Lim
Issue no.: MDL-20355
Solution: upgrade to latest weekly build or 1.9.6
Workaround: remove the overview report link - see http://docs.moodle.org/en/Simplifying_the_gradebook


Description:
Teachers could view students' grades in all courses, including courses for which they do not have teacher rights, in the overview report.

Discuss this topic  (0 replies so far)