Security announcements

MSA-11-0052: Potential to exploit developer debugging scripts

by Michael de Raadt -
Topic: print_object in datalib.php should have some validation to make sure it's not exploited
Severity: Minor
Versions affected: 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected)
Reported by: Rajesh Taneja
Issue no.: MDL-28947
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=187672608ec96659e07f2461b3b83634debd16cb
Workaround: Avoid leaving debugging code behind

Description:

Developers debugging a system may output object states, and the filtering of this output has now been strengthened.

Discuss this topic  (0 replies so far)

MSA-11-0051: Authentication issue with Web services

by Michael de Raadt -
Topic: webservice access tokens ignore login restrictions
Severity: Serious
Versions affected: 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected)
Reported by: Petr Škoda
Issue no.: MDL-28629
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28629
Workaround: Turn off web services

Description:

Web services were not checking all login restrictions when authenticating a user.

Discuss this topic  (0 replies so far)

MSA-11-0050: Backup capability issue

by Michael de Raadt -
Topic: moodle/course:changeidnumber permission is ignored when restoring a course into an existing course
Severity: Minor
Versions affected: 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected)
Reported by: Andrew Nicols
Issue no.: MDL-29591
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29591

Description:

The capability for replacing course ID numbers when restoring a course was not being followed.

Discuss this topic  (0 replies so far)

MSA-11-0049: Network restriction ineffective with MNet

by Michael de Raadt -
Topic: ip_in_range always returns true
Severity: Serious
Versions affected: 1.9 to 1.9.14+ (2.x not affected)
Reported by: Patrick McNeill
Issue no.: MDL-29551
Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=3ab2851d2a59721445945d0706c58092e07e861e
Workaround: Do not rely in IP address restriction with MNet

Description:

The effectiveness of IP address restrictions through XMLRPC was faulty in some circumstances.

Discuss this topic  (0 replies so far)

MSA-11-0048: Password loss issue

by Michael de Raadt -
Topic: Password policy misconfiguration results in blank password from password reset
Severity: Minor
Versions affected: 2.1 to 2.1.2+, 2.0 to 2.0.5+, 1.9 to 1.9.14+
Reported by: Stephen Mc Guinness
Issue no.: MDL-29893
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=e079e82c087becf06d902089d14f3f76686bde19
Workaround: Do not set password policy length values to zero

Description:

When password policy length values (length of password, digits, lowercase letters, etc.) are set to zero, an empty password can be entered, but then it is not possible to change this password.

Discuss this topic  (0 replies so far)

MSA-11-0047: Possible injection attack in Calendar

by Michael de Raadt -
Topic: CRLF injection/HTTP response splitting affecting /calendar/set.php
Severity: Serious
Versions affected: 2.1 to 2.1.2+, 2.0 to 2.0.5+, 1.9 to 1.9.14+
Reported by: David Michael Evans, German Sanchez Garces
Issue no.: MDL-29925
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=581e8dba387f090d89382115fd850d8b44351526

Description:

It was possible to take advantage of the structure of request headers to inject information for various nefarious purposes.

Discuss this topic  (0 replies so far)

MSA-11-0046: Insecure authentication transmission

by Michael de Raadt -
Topic: Change password form is sent over HTTP when httpslogin = true
Severity: Minor
Versions affected: 1.9 to 1.9.14+ (2.x not affected)
Reported by: Darragh Enright
Issue no.: MDL-29092
Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=01dd64a8c8aa95f793accea371b2392e662663c5

Description:

When a user was entering a new password, this information was sent to the server using an insecure transmission.

Discuss this topic  (0 replies so far)

MSA-11-0045: Potential to masquerade through MNet

by Michael de Raadt -
Topic: MNET auth and "Login As" functionality
Severity: Minor
Versions affected: 2.1 to 2.1.2+, 2.0 to 2.0.5+, 1.9 to 1.9.14+
Reported by: vickerylm
Issue no.: MDL-29977
Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=10df8657c1c138c0d0ab1d4796c552fcec0c299b
Workaround: Turn off MNet or "Login as"

Description:

MNET authentication didn't prevent a user using "Login As" from jumping to a remote MNET SSO, such as an enabled Mahara site.

Discuss this topic  (0 replies so far)

MSA-11-0044: Expired identification information shown in Web services

by Michael de Raadt -
Topic: security key web service tokens are displayed when the service is disabled or if the user is not authorized any more
Severity: Minor
Versions affected: 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected)
Reported by: Jerome Mouneyrac
Issue no.: MDL-28670
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28670&sr=1
Workaround: Do not enable then disable web services

Description:

Expired web service tokens were being displayed.

Discuss this topic  (0 replies so far)

MSA-11-0043: Possible link redirect in Calendar

by Michael de Raadt -
Topic: Calendar doesn't check $returnurl is valid
Severity: Minor
Versions affected: 2.1 to 2.1.2+ (2.0.x, 1.9.x not affected)
Reported by: Dan Marsden
Issue no.: MDL-28720
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28720&sr=1

Description:

The Calendar set page was taking a full URL used for redirection without checking if the URL is within the Moodle site.

Discuss this topic  (0 replies so far)