Security announcements | Moodle.org

Topic:	Vulnerability in Snoopy 1.2.3
Severity:	Major
Versions affected:	< 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by:	The Rat
Issue no.:	MDL-17236, CVE-2009-0502
Solution:	update to latest releases or weeklies http://cvs.moodle.org/moodle/blocks/html/config_instance.html?r1=1.6&r2=1.6.10.1 http://cvs.moodle.org/moodle/blocks/html/block_html.php?r1=1.8.22.6&r2=1.8.22.7

Description:
It was reported that there is a XSS vulnerability in HTML block, it can be exploited if teacher or administrator uses "Login as" and goes to MyMoodle or Blog page of that user.

Topic:	Vulnerability in Snoopy 1.2.3
Severity:	Major
Versions affected:	< 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9
Reported by:	Nigel McNie
Issue no.:	MDL-17110 / CVE-2008-4796
Solution:	update to latest releases, weeklies or patch lib/snoopy/*

Description:
Snoopy 1.2.3 library does incorrect shell command escaping when fetching from https.

Note:
The easiest way to exploit this is probably RSS block on My moodle page - any registered user. Please note that Moodle 1.9.x uses Snoopy only if PHP Curl extension NOT installed because we have patched magpie to use our download_file_content() - see MDL-11845

Topic:	No way easy to remove pictures of deleted users
Severity:	Minor
Versions affected:	< 1.9.4, < 1.8.8
Reported by:	Juan Segarra Montesinos
Issue no.:	MDL-17027
Solution:	update to latest weeklies or replace /user/pix.php workaround is to disable upload of avatars and remove all current images ; fix was not backported into 1.7.x and 1.6.x branches

Description:
User avatars did not have any login protection at all - intentionally. Login is now required if you enable $CFG->forcelogin (login required for all pages, disabled by default).

Note:
Exploit described in tracker. Please do not confuse this setting with $CFG->forceloginforprofiles.

Topic:	No way easy to remove pictures of deleted users
Severity:	Minor
Versions affected:	< 1.9.4, < 1.8.8
Reported by:	Howard Miller
Issue no.:	MDL-17065
Solution:	update to latest releases, weeklies or replace /user/pix.php; workaround is to remove images before deleting users or delete from shell/ftp; fix was not backported into 1.7.x and 1.6.x branches

Description:
Spammers or other vandals might upload unwanted images as avatars. After deleting users there was no easy way to remove those images. Solution was to ignore images of deleted users. See tracker for details.

Note:
Exploits would be probably targeted at wikis, databases and glossaries because admins usually delete forums posts because they are easy to stop (==linked from profile).
Final solution should be implementation in 2.0 - full purging of user accounts after delete which would remove all user data.

Topic:	customised PhpMyAdmin upgraded to 2.11.9.4
Severity:	Critical - exploit publicly available
Versions affected:	all
Reported by:	upstream - PMASA-2008-10
Issue no.:	MDL-17576
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-10

Topic:	customised PhpMyAdmin upgraded to 2.11.9.3
Severity:	Major
Versions affected:	all
Reported by:	upstream - PMASA-2008-9
Issue no.:	MDL-17097
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-9

Topic:	customised HTML Purifier upgraded to 2.1.5
Severity:	Minor
Versions affected:	1.9.0, 1.9.1, 1.9.2
Reported by:	upstream
Issue no.:	MDL-16667
Solution:	upgrade to latest release or use standard KSES text cleaning engine

Description:

see http://htmlpurifier.org/

Topic:	SQL injection in tags code
Severity:	High
Versions affected:	1.9.0, 1.9.1, 1.9.2
Reported by:	D P
Issue no.:	MDL-16585
Solution:	update to latest release

Description:

SQL injection problem was reported in tag related code. Please update your site or disable tags feature.

Topic:	Overriding of frozen values in Moodle forms
Severity:	Minor
Versions affected:	< 1.8.7, < 1.9.3
Reported by:	Ashley Holman
Issue no.:	MDL-16839
Solution:	update to latest releases

Description:

Anshley Holman reported that it is possible to side step user profile locking mechanism. The cause of this is in our quickforms integration, unfortunately it can not be fixed without potential regressions. We have decided to work around this problem by using setConstant() together with hardFreeze(). Please update your code in a similar way if required. The problem will be fully resolved in 2.0.

Topic:	Cross Site Request Forgery (CSRF) in messaging setting
Severity:	Major
Versions affected:	< 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by:	internal code review
Issue no.:	MDL-16688
Solution:	update to latest releases

Description:

The messaging settings page was exposed to a CSRF vulnerability because it wasn't protected by the sesskey mechanism.