| Topic: | SQL injection in SCORM module |
| Severity/Risk: | Minor |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | Andrea Tuccia |
| Issue no.: | MDL-20955 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | none |
Description:
Andrea Tuccia discovered escaping issue when processing AICC CRS file (Course_Title). The problem is marked as minor because only trusted users are allow to upload SCORM packages.
| Topic: | New detection of insecure flash player plugins |
| Severity/Risk: | Major |
| Versions affected: | <1.9.7 |
| Reported by: | internal code review |
| Issue no.: | MDL-20841 |
| Solution: | upgrade to 1.9.7 |
| Workaround: | none |
Description:
Older Flash versions that do not respect the download http header may be used to gain unauthorised access. Moodle is now able to detect obsolete and vulnerable Flash plugin versions. Moodle will actually refuse to send uploaded files to older Flash plugins and will instead send an alternative Flash file that asks users to upgrade. All administrators and teachers should upgrade their computers as soon as possible.
| Topic: | Multiple password related issues |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | exploit of weak passwords published anonymously on moodle.org and multiple other reports |
| Issue no.: | MDL-18807, MDL-18006, MDL-19608, MDL-20934 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | set up password salt in config.php, enforce strong password policy, force password change on important accounts, verify LDAP configuration if used |
Description:
Administrators are now forced to change their password after upgrading. The installer now puts a random password salt into config.php, existing sites notify administrators to configure the salt via security overview reports. Strong password policy is now enabled by default. Only internal authentication plugins now store password hashes in user table, cached hashes are removed for all external plugins (though the LDAP plugin already had the option to prevent passwords in user table). Bulk user actions now contain an option to force password change.
| Topic: | Multiple backup/restore related issues |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | multiple reports |
| Issue no.: | MDL-20838, MDL-20849, MDL-20939, MDL-20932 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | remove backup capability from all users |
Description:
User password hashes and secrets are now never included in backup files. There are also new capabilities that control backup/restore of all user information (separately from the course data), and these are off by default. The admin has much better control over who has these capabilities, and the security overview report now gives a comprehensive picture of dangerous roles, overrides, users etc. Even if this capability is enabled, only enrolled users can be included in backup files.
| Topic: | Login information can be sent unsecured when site is configured to use SSL for logins |
| Severity/Risk: | Minor |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | Mike Churchward |
| Issue no.: | MDL-20958 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/login/index_form.html?r1=1.50.2.1&r2=1.50.2.2 |
Description:
Mike Churchward described a potential problem and proposed a solution that prevents sending of password via unsecured connection when SSL required only for logins.
| Topic: | Invalid application access control in MNET interface |
| Severity/Risk: | Major |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | Adrian Schlegel |
| Issue no.: | MDL-20639 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.16.2.10&r2=1.16.2.11 http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.9.2.7&r2=1.9.2.8 |
Description:
Adrian Schlegel reported a serious problem in the MNET implementation allowing execution of any MNET function from all registered remote servers. The server is vulnerable only when MNET services are enabled on the server.
| Topic: | Unneeded MD5 hashes removed from user table |
| Severity/Risk: | Major |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | internal code review |
| Issue no.: | MDL-20934 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | none |
Description:
All authentication plugins except LDAP were storing md5 hashes of passwords in the user table, but these "cached" hashes were only actually used in some authentication plugins. We have now replaced md5 hashes with 'not cached' flag in all external authentication types. Please note this change may break backwards compatibility and some 3rd party modifications. If you have any custom code using this field in the table it will need to be rewritten.
| Topic: | Insufficient access control in glossary |
| Severity/Risk: | Major |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | internal code review |
| Issue no.: | MDL-20928 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | use new mod/glossary/showentry.php |
Description:
We have discovered that insufficient access control may allow unauthorised users to view glossary entries.
| Topic: | User account disclosure in LAMS module |
| Severity/Risk: | Major |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | internal code review |
| Issue no.: | MDL-20924 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | uninstall module and delete mod/lams directory |
Description:
LAMS module code discloses username, firstname and lastname database fields from user table. This information could be used in other types of attacks.
| Topic: | Multiple CSRF problems fixed |
| Severity/Risk: | Major |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | internal code review |
| Issue no.: | MDL-20705, MDL-20707, MDL-20706, MDL-20925, MDL-20929, MDL-20930, MDL-20931, MDL-20901 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | none |
Description:
We have discovered and fixed multiple cross site request forgery (CSRF) problems during internal code review.