Security announcements

MSA-11-0011: Multiple cross-site scripting problems in media filter

by Helen Foster -
Topic: Multiple cross-site scripting problems in media filter
Severity: Major
Versions affected: <1.9.11 and <2.0.2
Reported by: Internal code review
Issue no.: MDL-26030
Solution: Upgrade to latest version
Workaround: Disable media filter

Description:

Incorrect text escaping in media filter could allow authenticated users to launch cross-site scripting attacks.

MSA-11-0010: Incorrect default for mod:course/delete capability in teacher role

by Helen Foster -
Topic: Incorrect default for mod:course/delete capability in teacher role
Severity: Potential problem
Versions affected: <2.0.2 (1.9.x not affected)
Reported by: Patrick Pollet
Issue no.: MDL-25672
Solution: Fix teacher role permissions manually

Description:

By default in new installations teachers were allowed to delete courses.

MSA-11-0009: My profile block may disclose private information if used in user context

by Helen Foster -
Topic: My profile block may disclose private information if used in user context
Severity: Minor
Versions affected: <2.0.2 (1.9.x not affected)
Reported by: Internal code review
Issue no.: MDL-26034
Solution: Upgrade to latest version
Workaround: Uninstall the myprofile block and delete block/myprofile files

Description:

The My profile block could allow disclosure of private information when placed on pages in the user context. The block was changed to show only current user information.

MSA-11-0008: IMS enterprise enrolment file may disclose sensitive information

by Helen Foster -
Topic: IMS enterprise enrolment file may disclose sensitive information
Severity: Major
Versions affected: <1.9.11 and <2.0.2
Reported by: Internal code review
Issue no.: MDL-26189
Solution: Upgrade to latest version
Workaround: Move the imsenterprise-enrol.xml file outside of the course files area

Description:

Putting the IMS enterprise enrol file in the course files area may result in disclosure of sensitive information.

MSA-11-0007: Cross-site scripting vulnerability in course tags

by Helen Foster -
Topic: Cross-site scripting vulnerability in course tags
Severity: Major
Versions affected: <2.0.2 (1.9.x not affected)
Reported by: Internal code review
Issue no.: MDL-26196
Solution: Upgrade to latest version
Workaround: Disable tags

Description:

We have discovered a missing parameter validation in course tag code, this could allow attacker to launch cross-site scripting attack.

MSA-11-0006: Cross-site request forgery and missing access control in course completion

by Helen Foster -
Topic: Cross-site request forgery and missing access control in course completion
Severity: Major
Versions affected: <2.0.2 (1.9.x not affected)
Reported by: Internal code review
Issue no.: MDL-26198
Solution: Upgrade to latest version
Workaround: Disable course completion

Description:

We have discovered several problems in the course completion code during code review which could allow an attacker to mark activities and courses as completed.

MSA-11-0005: Cross-site scripting vulnerability in spikephpcoverage

by Helen Foster -
Topic: Cross-site scripting vulnerability in spikephpcoverage
Severity: Major
Versions affected: <2.0.2 (1.9.x not affected)
Reported by: AutoSec Tools
Issue no.: MDL-26237
Solution: Upgrade to latest version
Workaround: Delete lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php and lib/spikephpcoverage/src/phpcoverage.remote.bottom.inc.php

Description:

AutoSec Tools published a report of cross-site scripting vulnerability in a bundled spikephpcoverage library.

MSA-11-0004: $CFG->forceloginforprofiles setting ignored in course profiles

by Helen Foster -
Topic: $CFG->forceloginforprofiles option ignored for course profiles
Severity: Major
Versions affected: <2.0.2 (1.9.x not affected)
Reported by: Amr Hourani
Issue no.: MDL-26389
Solution: Upgrade to latest version
Workaround: Enable $CFG->forcelogin and disable $CFG->opentogoogle (recommended settings for sites with high privacy requirements)

Description:

$CFG->forceloginforprofiles was ignored for course profiles resulting in search engine indexing and guest user access.

MSA-11-0003: Cross-site scripting vulnerability in tag autocomplete

by Helen Foster -
Topic: Cross-site scripting vulnerability in tag autocomplete
Severity: Major
Versions affected: <1.9.11 and <2.0.2
Reported by: gose
Issue no.: MDL-25754
Solution: Upgrade to latest version
Workaround: Delete /tag/tag_autocomplete.php file

Description:

Missing tag validation could allow an attacker to conduct a cross-site scripting attack.

MSA-11-0002: Cross-site request forgery vulnerability in RSS block

by Helen Foster -
Topic: Cross-site request forgery in RSS block
Severity: Major
Versions affected: <1.9.11 (2.0.x not vulnerable)
Reported by: Dan Poltawski
Issue no.: MDL-18839
Solution: Upgrade to 1.9.11
Workaround: Delete the RSS feeds block

Description:

This vulnerability could allow an attacker to manipulate RSS feeds used in an RSS block.