Security announcements

MSA-09-0031: SQL injection in SCORM module

by Helen Foster -
Topic: SQL injection in SCORM module
Severity/Risk: Minor
Versions affected: <1.8.11 and <1.9.7
Reported by: Andrea Tuccia
Issue no.: MDL-20955
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: none


Description:
Andrea Tuccia discovered escaping issue when processing AICC CRS file (Course_Title). The problem is marked as minor because only trusted users are allow to upload SCORM packages.

MSA-09-0030: New detection of insecure flash player plugins

by Helen Foster -
Topic: New detection of insecure flash player plugins
Severity/Risk: Major
Versions affected: <1.9.7
Reported by: internal code review
Issue no.: MDL-20841
Solution: upgrade to 1.9.7
Workaround: none


Description:
Older Flash versions that do not respect the download http header may be used to gain unauthorised access. Moodle is now able to detect obsolete and vulnerable Flash plugin versions. Moodle will actually refuse to send uploaded files to older Flash plugins and will instead send an alternative Flash file that asks users to upgrade. All administrators and teachers should upgrade their computers as soon as possible.

MSA-09-0029: Multiple password related issues

by Helen Foster -
Topic: Multiple password related issues
Severity/Risk: Critical
Versions affected: <1.8.11 and <1.9.7
Reported by: exploit of weak passwords published anonymously on moodle.org and multiple other reports
Issue no.: MDL-18807, MDL-18006, MDL-19608, MDL-20934
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: set up password salt in config.php, enforce strong password policy, force password change on important accounts, verify LDAP configuration if used


Description:
Administrators are now forced to change their password after upgrading. The installer now puts a random password salt into config.php, existing sites notify administrators to configure the salt via security overview reports. Strong password policy is now enabled by default. Only internal authentication plugins now store password hashes in user table, cached hashes are removed for all external plugins (though the LDAP plugin already had the option to prevent passwords in user table). Bulk user actions now contain an option to force password change.

MSA-09-0028: Multiple backup/restore related issues

by Helen Foster -
Topic: Multiple backup/restore related issues
Severity/Risk: Critical
Versions affected: <1.8.11 and <1.9.7
Reported by: multiple reports
Issue no.: MDL-20838, MDL-20849, MDL-20939, MDL-20932
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: remove backup capability from all users


Description:
User password hashes and secrets are now never included in backup files. There are also new capabilities that control backup/restore of all user information (separately from the course data), and these are off by default. The admin has much better control over who has these capabilities, and the security overview report now gives a comprehensive picture of dangerous roles, overrides, users etc. Even if this capability is enabled, only enrolled users can be included in backup files.

MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins

by Helen Foster -
Topic: Login information can be sent unsecured when site is configured to use SSL for logins
Severity/Risk: Minor
Versions affected: <1.8.11 and <1.9.7
Reported by: Mike Churchward
Issue no.: MDL-20958
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: apply patch
http://cvs.moodle.org/moodle/login/index_form.html?r1=1.50.2.1&r2=1.50.2.2


Description:
Mike Churchward described a potential problem and proposed a solution that prevents sending of password via unsecured connection when SSL required only for logins.

MSA-09-0026: Invalid application access control in MNET interface

by Helen Foster -
Topic: Invalid application access control in MNET interface
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: Adrian Schlegel
Issue no.: MDL-20639
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: apply patch
http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.16.2.10&r2=1.16.2.11
http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.9.2.7&r2=1.9.2.8


Description:
Adrian Schlegel reported a serious problem in the MNET implementation allowing execution of any MNET function from all registered remote servers. The server is vulnerable only when MNET services are enabled on the server.

MSA-09-0025: Unneeded MD5 hashes removed from user table

by Helen Foster -
Topic: Unneeded MD5 hashes removed from user table
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20934
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: none


Description:
All authentication plugins except LDAP were storing md5 hashes of passwords in the user table, but these "cached" hashes were only actually used in some authentication plugins. We have now replaced md5 hashes with 'not cached' flag in all external authentication types. Please note this change may break backwards compatibility and some 3rd party modifications. If you have any custom code using this field in the table it will need to be rewritten.

MSA-09-0024: Insufficient access control in glossary

by Helen Foster -
Topic: Insufficient access control in glossary
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20928
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: use new mod/glossary/showentry.php


Description:
We have discovered that insufficient access control may allow unauthorised users to view glossary entries.

MSA-09-0023: User account disclosure in LAMS module

by Helen Foster -
Topic: User account disclosure in LAMS module
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20924
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: uninstall module and delete mod/lams directory


Description:
LAMS module code discloses username, firstname and lastname database fields from user table. This information could be used in other types of attacks.

MSA-09-0022: Multiple CSRF problems fixed

by Helen Foster -
Topic: Multiple CSRF problems fixed
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: internal code review
Issue no.: MDL-20705, MDL-20707, MDL-20706, MDL-20925, MDL-20929, MDL-20930, MDL-20931, MDL-20901
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: none


Description:
We have discovered and fixed multiple cross site request forgery (CSRF) problems during internal code review.