Security announcements | Moodle.org

Topic:	No way easy to remove pictures of deleted users
Severity:	Minor
Versions affected:	< 1.9.4, < 1.8.8
Reported by:	Juan Segarra Montesinos
Issue no.:	MDL-17027
Solution:	update to latest weeklies or replace /user/pix.php workaround is to disable upload of avatars and remove all current images ; fix was not backported into 1.7.x and 1.6.x branches

Description:
User avatars did not have any login protection at all - intentionally. Login is now required if you enable $CFG->forcelogin (login required for all pages, disabled by default).

Note:
Exploit described in tracker. Please do not confuse this setting with $CFG->forceloginforprofiles.

Topic:	No way easy to remove pictures of deleted users
Severity:	Minor
Versions affected:	< 1.9.4, < 1.8.8
Reported by:	Howard Miller
Issue no.:	MDL-17065
Solution:	update to latest releases, weeklies or replace /user/pix.php; workaround is to remove images before deleting users or delete from shell/ftp; fix was not backported into 1.7.x and 1.6.x branches

Description:
Spammers or other vandals might upload unwanted images as avatars. After deleting users there was no easy way to remove those images. Solution was to ignore images of deleted users. See tracker for details.

Note:
Exploits would be probably targeted at wikis, databases and glossaries because admins usually delete forums posts because they are easy to stop (==linked from profile).
Final solution should be implementation in 2.0 - full purging of user accounts after delete which would remove all user data.

Topic:	customised PhpMyAdmin upgraded to 2.11.9.4
Severity:	Critical - exploit publicly available
Versions affected:	all
Reported by:	upstream - PMASA-2008-10
Issue no.:	MDL-17576
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-10

Topic:	customised PhpMyAdmin upgraded to 2.11.9.3
Severity:	Major
Versions affected:	all
Reported by:	upstream - PMASA-2008-9
Issue no.:	MDL-17097
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-9

Topic:	customised HTML Purifier upgraded to 2.1.5
Severity:	Minor
Versions affected:	1.9.0, 1.9.1, 1.9.2
Reported by:	upstream
Issue no.:	MDL-16667
Solution:	upgrade to latest release or use standard KSES text cleaning engine

Description:

see http://htmlpurifier.org/

Topic:	SQL injection in tags code
Severity:	High
Versions affected:	1.9.0, 1.9.1, 1.9.2
Reported by:	D P
Issue no.:	MDL-16585
Solution:	update to latest release

Description:

SQL injection problem was reported in tag related code. Please update your site or disable tags feature.

Topic:	Overriding of frozen values in Moodle forms
Severity:	Minor
Versions affected:	< 1.8.7, < 1.9.3
Reported by:	Ashley Holman
Issue no.:	MDL-16839
Solution:	update to latest releases

Description:

Anshley Holman reported that it is possible to side step user profile locking mechanism. The cause of this is in our quickforms integration, unfortunately it can not be fixed without potential regressions. We have decided to work around this problem by using setConstant() together with hardFreeze(). Please update your code in a similar way if required. The problem will be fully resolved in 2.0.

Topic:	Cross Site Request Forgery (CSRF) in messaging setting
Severity:	Major
Versions affected:	< 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by:	internal code review
Issue no.:	MDL-16688
Solution:	update to latest releases

Description:

The messaging settings page was exposed to a CSRF vulnerability because it wasn't protected by the sesskey mechanism.

Topic:	Cross Site Scripting (XSS) possible through Wiki page titles
Severity:	High
Versions affected:	< 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by:	Mike Churchward
Issue no.:	MDL-15896
Solution:	update to latest releases

Description:

Wiki page names were not sanitised on output, allowing for potential cross site scripting (XSS) issues.

Topic:	design deficiency combined with incorrect use of format_string() allowing XSS
Severity:	Major
Versions affected:	< 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by:	Lars Vogdt
Issue no.:	MDL-15823
Solution:	Update to latest releases or patch format_string() function 1.6.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.581.4.12&r2=1.581.4.13 1.7.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.674.2.35&r2=1.674.2.36 1.8.x http://cvs.moodle.org/moodle/lib/weblib.php?view=log&pathrev=MOODLE_18_STABLE 1.9.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.103&r2=1.970.2.104

Description:

Lars Vogdt reported a Cross Site Scripting (XSS) problem in one script, during the evaluation we have realised that several other places might be affected too. The problem was caused by combination of incorrect use of format_string() and previous design of this function. We have decided to prevent this and any similar problems in future by adding more sanitisation into format_string().