| Topic: | Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability |
| Severity/Risk: | Critical (only servers using Oracle and MS SQL databases) |
| Versions affected: | <1.9.6 |
| Reported by: | Sam Moffatt |
| Issue no.: | MDL-19452 |
| Solution: | upgrade to latest weekly build or 1.9.6 |
| Workaround: | none |
Description:
Sam Moffatt discovered a potential problem in the way ADODB library is quoting special characters when the database engine is using Sybase style quoting.
| Topic: | Teachers can view students' grades in all courses in the overview report |
| Severity/Risk: | Minor |
| Versions affected: | <1.9.6 |
| Reported by: | Ratana Lim |
| Issue no.: | MDL-20355 |
| Solution: | upgrade to latest weekly build or 1.9.6 |
| Workaround: | remove the overview report link - see http://docs.moodle.org/en/Simplifying_the_gradebook |
Description:
Teachers could view students' grades in all courses, including courses for which they do not have teacher rights, in the overview report.
| Topic: | SQL injection in update_record |
| Severity/Risk: | Critical |
| Versions affected: | <1.9.6, <1.8.10, 1.7.x |
| Reported by: | Georg-Christian Pranschke |
| Issue no.: | MDL-20309 |
| Solution: | upgrade to latest weekly builds, 1.9.6 or 1.8.10 |
| Workaround: | apply patches: |
Description:
Georg-Christian Pranschke discovered a serious problem in update_record function. This problem may allow any registered user to exploit several different scripts.
| Topic: | Incorrect escaping when updating first post in a single simple discussion forum type |
| Severity/Risk: | Minor |
| Versions affected: | <1.9.6, <1.8.10 |
| Reported by: | Nicola Vitacolonna |
| Issue no.: | MDL-20555 |
| Solution: | upgrade to latest weekly build or 1.9.6 |
| Workaround: | none |
Description:
Nicola Vitacolonna discovered forum introduction is incorrectly escaped when editing the first post of a single simple discussion forum. This can potentially lead to SQL injection attacks by teachers. Students can not exploit this problem.
| Topic: | Upgrade code 1.9 does not escape tags properly |
| Severity/Risk: | Minor |
| Versions affected: | <1.9.6 |
| Reported by: | Matt Oquist |
| Issue no.: | MDL-19709 |
| Solution: | do not use 1.9.0-1.9.5 when upgrading from any previous version |
Description:
The upgrade code does not properly escape tags properly when upgrading from any version before 1.9.0.
| Topic: | Email not properly escaped on user edit page |
| Severity/Risk: | Minor |
| Versions affected: | <1.9.6 |
| Reported by: | Alan Trick |
| Issue no.: | MDL-20295 |
| Solution: | upgrade to latest weekly build or 1.9.6 |
| Workaround: | disable email change confirmation (not recommended) |
Description:
Alan Trick discovered that the email change confirmation code does not escape the email addresses properly. This problem is marked as minor because the email address is validated and can not contain an arbitrary text.
| Topic: | Customised PhpMyAdmin upgraded to 2.11.9.6 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream - PMASA-2009-6; CVE-2009-3696 and CVE-2009-3697 |
| Issue no.: | MDL-20553 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* |
Description:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-6
| Topic: | mimeTeX vulnerabilities |
| Severity/Risk: | Major |
| Versions affected: | all |
| Reported by: | upstream - http://www.ocert.org/advisories/ocert-2009-010.html |
| Issue no.: | MDL-19832, CVE-2009-1382 |
| Solution: | upgrade to latest weekly built, stable CVS, nightly build or copy new mimetex.* executables into any older release |
| Workaround: | disable tex and algebra filters |
Description:
John Forkosh fixed several serious vulnerabilities in mimeTeX binary which is used in Moodle by TeX and Algebra filter. This was rated as "critical" upstream, however the risk is slightly less on Moodle because this filter can be disabled (and is disabled by default). In addition, the vulnerability is only exposed to valid users who have logged in to Moodle.
| Topic: | Customised PhpMyAdmin upgraded to 2.11.9.5 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream - PMASA-2009-1, PMASA-2009-2, PMASA-2009-3, PMASA-2009-4 |
| Issue no.: | MDL-19234 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* |
Description:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-1
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-2
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-3
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2009-4
Please note that some of these vulnerabilities may not be exploitable due to our specific integration changes.
| Topic: | SQL injections when importing outcomes |
| Severity: | Major |
| Versions affected: | < 1.9.5 |
| Reported by: | internal review |
| Issue no.: | MDL-19036 |
| Solution: | upgrade to 1.9.5 |
Description:
When reviewing the import outcomes code, it was discovered that incorrect coding allowed SQL injections. By default only trusted users are allowed to use this part of gradebook. It can not be exploited by students.
