| Topic: | Persistent Cross Site Scripting vulnerability in the MNET access control interface |
| Severity/Risk: | Minor |
| Versions affected: | <1.8.13 and <1.9.9 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-22040 |
| Solution: | upgrade to 1.8.13 or 1.9.9 |
| Workaround: | disable MNET or uncheck Allow extended characters in usernames |
Description:
Sasha Herzog reported a cross site scripting vulnerability in the MNET access control interface when server allows extended characters in usernames.
| Topic: | Session fixation prevention now turned on by default |
| Severity/Risk: | Major |
| Versions affected: | 1.8.x and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21788 |
| Solution: | upgrade to 1.9.8 and confirm the enabling of session id regeneration |
Description:
Enabling of "Regenerate session id during login" setting is now strongly recommended for all production servers. It is now compatible with all official authentication plugins including mnet.
| Topic: | Persistent XSS when using Login-as feature |
| Severity/Risk: | Major |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21769 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | see Version control tab in tracker issue |
Description:
Users may trick admins into using the "Login as" feature to edit some existing posts which contain XSS exploit code.
| Topic: | Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine |
| Severity/Risk: | Major (if global search enabled) |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21649 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/search/query.php?r1=1.16.2.10&r2=1.16.2.11 |
Description:
Sascha Herzog found a problem in the handling of user submitted data in global search forms. This problem is exploitable only when global search is enabled. Please note that the global search feature is still listed as experimental and is disabled by default.
| Topic: | SQL injection in Wiki module |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Matthew Slowe |
| Issue no.: | MDL-21818 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/mod/wiki/view.php?r1=1.76.2.6&r2=1.76.2.7 or remove mod/wiki/* if wiki module not used |
Description:
Matthew Slowe discovered that the data passed to add_to_log() function in wiki module is not sanitised properly, this could allow SQL injection type attacks if there are any instances of wiki in your courses.
| Topic: | Incorrect validation of forms data |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21767 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/lib/form/selectgroups.php?r1=1.2.4.2&r2=1.2.4.3 or http://cvs.moodle.org/moodle/lib/form/select.php?r1=1.10.4.2&r2=1.10.4.3 |
Description:
Sascha Herzog discovered a SQL injection exploit in several forms, this was caused by incorrect data validation in some forms elements.
| Topic: | Improved access control in course restore |
| Severity/Risk: | Minor |
| Versions affected: | 1.8.x and <1.9.8 |
| Reported by: | multiple reports |
| Issue no.: | MDL-16658, MDL-19233 |
| Solution: | upgrade to 1.9.8 |
| Workaround: | none |
Description:
The restoring of courses sometimes resulted in creation of new roles - that code should be now more reliable. Please note that all the users that are allowed to restore backup files must be trustworthy.
| Topic: | Disclosure of full user names |
| Severity/Risk: | Minor - privacy |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Klaus Kirchner |
| Issue no.: | MDL-21830 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/user/view.php?r1=1.168.2.28&r2=1.168.2.29 |
Description:
Klaus Kirchner identified a problem in the course profile page which allowed ordinary users to find out names of other users - see http://moodle.org/mod/forum/discuss.php?d=145967 for more details.
| Topic: | XSS vulnerabilty in the phpcas module |
| Severity/Risk: | Major (if using CAS) |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Joachim Fritschi |
| Issue no.: | MDL-21802 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | use CAS/Client.php from latest release |
Description:
We have backported a fix for a security problem fixed in recent version of PHP CAS client library - http://www.ja-sig.org/issues/browse/PHPCAS-52. The problem can be exploited only if CAS authentication is enabled and used on your site.
| Topic: | Vulnerability in KSES text cleaning |
| Severity/Risk: | Major |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sam Marshall |
| Issue no.: | MDL-21026 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.1349&r2=1.1350 |
Description:
Sam Marshall discovered a serious vulnerability in the KSES html text cleaning library that Moodle includes, please upgrade all sites in order to prevent XSS attacks from any registered user.
