Security announcements

MSA-09-0011: Glossary, database and forum ratings are not verified after submission

by Petr Skoda -
Topic: Glossary, database and forum ratings are not verified after submission
Severity: Major
Versions affected: < 1.9.5, < 1.8.9, 1.7.x, 1.6.x
Reported by: Eloy Lafuente
Issue no.: MDL-18058, MDL-18059 and MDL-17365
Solution: upgrade to 1.9.5, 1.8.9 or latest 1.6.9+ and 1.7.7+ weekly builds


Description:
Eloy Lafuente discovered that submitted ratings are not verified after submission, which may alter results and affect final grades.

Discuss this topic  (0 replies so far)

MSA-09-0010: Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers

by Petr Skoda -
Topic: Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers
Severity: Major
Versions affected: < 1.9.5, < 1.8.9, 1.7.x, 1.6.x
Reported by: Marc-Robin Wendt
Issue no.: MDL-18415
Solution: upgrade to 1.9.5 or 1.8.9
Workaround: use default internal unzip method


Description:
Marc-Robin Wendt reported the problem and proposed a solution of how to eliminate symbolic links when unzipping files. Info-zip executables can zip and unzip symbolic links. By default only trusted users are allowed to extract zip files. This should not be exploitable by students unless the roles are misconfigured or 3rd party extensions are installed.

Discuss this topic  (0 replies so far)

MSA-09-0009: TeX filter file disclosure

by Petr Skoda -
Topic: TeX filter file disclosure
Severity: Major
Versions affected: <= 1.9.4, <= 1.8.8, <= 1.7.7, <=1.6.9
Reported by: Christian Eibl
Issue no.: MDL-18552, CVE-2009-1171
Solution: update to latest weeklies or copy latest filter/tex/*.* and filter/algebra/*.* into your current install
Workaround: disable or delete TeX and Algebra filters completely


Description:
Christian Eibl reported and helped fix a serious TeX filter problem. Unfortunately the details were released before we had chance to inform administrators of registered Moodle sites. Please update your servers immediately or disable the TeX and Algebra filters until you are able to update.

Discuss this topic  (0 replies so far)

Prevent profile spam on your Moodle site

by Martin Dougiamas -
One of the most common security issues that we see in Moodle sites is profile spam.

Profile spam is primarily a problem on sites with the combination of these two settings:
  1. email authentication is enabled, allowing people to self-create an account on the site
  2. the admin setting forceloginforprofiles is disabled, allowing anyone to see and link to user profiles
Some older versions of Moodle had these as default.

The problems with these settings is that spammers can create a page on the Moodle site which they can fill with links and pictures of porn and other nasty stuff. This in turn comes up in Google searches for those things, and is used to boost ratings to porn sites or hacking sites designed to take over your personal computer. Note that this content is designed for people using search engines, and is usually not available from within the Moodle site itself (since spammers don't join any courses) so users and admins are usually not even aware their site is having this problem.

Please pass the word to all Moodle admins that you know to check these Moodle site settings and make sure their sites are not vulnerable to profile spam. Email authentication should be disabled if not needed, and if it can't then forceloginforprofiles should definitely be enabled.

Please also use our spam-cleaning tool to scan your site to find affected profiles and delete them. This page in the docs has more details: Reducing_spam_in_Moodle and you can also get help in the Security and Privacy forum.
Discuss this topic  (0 replies so far)

MSA-09-0008: CSRF vulnerability in forum code

by Petr Skoda -
Topic: CSRF vulnerability in forum code
Severity: Major
Versions affected: < 1.9.4, < 1.8.8, < 1.7.7
Reported by: Kevin Madura
Issue no.: MDL-17799, CVE-2009-0499
Solution: update to latest releases, weeklies or
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.14&r2=1.154.2.15
http://cvs.moodle.org/moodle/mod/forum/prune.html?r1=1.8&r2=1.8.4.1
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.15&r2=1.154.2.16


Description:
Kevid Madura reported CSRF problem, which can be abused for unauthorised deleting of forum posts.

Discuss this topic  (0 replies so far)

MSA-09-0007: Missing input validation in logs allows potential XSS attacks

by Petr Skoda -
Topic: Missing input validation in logs allows potential XSS attacks
Severity: Major
Versions affected: < 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by: Full Name
Issue no.: MDL-17799, CVE-2009-0500
Solution: update to latest releases, weeklies or
http://cvs.moodle.org/moodle/course/lib.php?r1=1.538.2.66&r2=1.538.2.67


Description:
Some information stored in log table was not properly validated before displaying on log report.

Discuss this topic  (0 replies so far)

MSA-09-0006: Calendar export may allow brute force attacks

by Petr Skoda -
Topic: Calendar export may allow brute force attacks
Severity: Major
Versions affected: < 1.9.4, < 1.8.8
Reported by: Daniel Cabezas
Issue no.: MDL-17203, CVE-2009-0501
Solution: update to latest releases or weeklies


Description:
Calendar export was disclosing sensitive information which could allow brute force attacks on user accounts.

Discuss this topic  (0 replies so far)

MSA-09-0005: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability

by Petr Skoda -
Topic: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability
Severity: Major
Versions affected: < 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by: http://www.securityfocus.com/bid/32402
Issue no.: MDL-17368 / CVE-2008-5153
Solution: update to latest releases or removing directory: lib/editor/htmlarea/plugins/SpellChecker/


Description:
See bug for details - it is safe to delete that directory because we use different spellchecker.

Discuss this topic  (0 replies so far)

MSA-09-0004: XSS vulnerabilities in HTML blocks if "Login as" used

by Petr Skoda -
Topic: Vulnerability in Snoopy 1.2.3
Severity: Major
Versions affected: < 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by: The Rat
Issue no.: MDL-17236, CVE-2009-0502
Solution: update to latest releases or weeklies
http://cvs.moodle.org/moodle/blocks/html/config_instance.html?r1=1.6&r2=1.6.10.1
http://cvs.moodle.org/moodle/blocks/html/block_html.php?r1=1.8.22.6&r2=1.8.22.7


Description:
It was reported that there is a XSS vulnerability in HTML block, it can be exploited if teacher or administrator uses "Login as" and goes to MyMoodle or Blog page of that user.

Discuss this topic  (0 replies so far)

MSA-09-0003: Vulnerability in Snoopy 1.2.3

by Petr Skoda -
Topic: Vulnerability in Snoopy 1.2.3
Severity: Major
Versions affected: < 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by: Nigel McNie
Issue no.: MDL-17110 / CVE-2008-4796
Solution: update to latest releases, weeklies or patch lib/snoopy/*


Description:
Snoopy 1.2.3 library does incorrect shell command escaping when fetching from https.

Note:
The easiest way to exploit this is probably RSS block on My moodle page - any registered user. Please note that Moodle 1.9.x uses Snoopy only if PHP Curl extension NOT installed because we have patched magpie to use our download_file_content() - see MDL-11845

Discuss this topic  (0 replies so far)