Security announcements | Moodle.org

Topic:	Cross Site Scripting (XSS) possible through Wiki page titles
Severity:	High
Versions affected:	< 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by:	Mike Churchward
Issue no.:	MDL-15896
Solution:	update to latest releases

Description:

Wiki page names were not sanitised on output, allowing for potential cross site scripting (XSS) issues.

Topic:	design deficiency combined with incorrect use of format_string() allowing XSS
Severity:	Major
Versions affected:	< 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by:	Lars Vogdt
Issue no.:	MDL-15823
Solution:	Update to latest releases or patch format_string() function 1.6.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.581.4.12&r2=1.581.4.13 1.7.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.674.2.35&r2=1.674.2.36 1.8.x http://cvs.moodle.org/moodle/lib/weblib.php?view=log&pathrev=MOODLE_18_STABLE 1.9.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.103&r2=1.970.2.104

Description:

Lars Vogdt reported a Cross Site Scripting (XSS) problem in one script, during the evaluation we have realised that several other places might be affected too. The problem was caused by combination of incorrect use of format_string() and previous design of this function. We have decided to prevent this and any similar problems in future by adding more sanitisation into format_string().

Topic:	quiz/questions capabilities lack some risk flags in access.php files
Severity:	Minor
Versions affected:	< 1.7.6, < 1.8.7, < 1.9.3
Reported by:	internal code review
Issue no.:	MDL-15819
Solution:	upgrade to 1.7.6, 1.8.7, 1.9.3 or any recent nightly

Description:

We have discovered during code review that some quiz and questions related capabilities lack proper definition of associated risks. Administrators should update sites or at least review the changes in risk definitions in all quiz and question related capabilities.

Topic:	customised PhpMyAdmin upgraded to 2.11.9.2
Severity:	Major
Versions affected:	all
Reported by:	upstream - PMASA-2008-8
Issue no.:	MDL-16623
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-8

Topic:	customised PhpMyAdmin upgraded to 2.11.8.1
Severity:	Major
Versions affected:	all
Reported by:	upstream - PMASA-2008-6
Issue no.:	MDL-15872
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

Added protection against cross-frame scripting. Please note that the XSS problem in setup.php does not affect Moodle because this file is not included in the customised Moodle package.

Topic:	customised PhpMyAdmin upgraded to 2.11.7.1
Severity:	Major
Versions affected:	all
Reported by:	upstream
Issue no.:	MDL-15665
Solution:	Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448

Description:

A bug that allows XSRF/CSRF by manipulating the db, convcharset and collation_connection parameters was discovered in PhpMyAdmin and fixed there (thanks to YGN Ethical Hacker Group. Details not disclosed yet). Our local optional add-on based on phpmyadmin has now also been updated with this fix.

Topic:	Email could be changed in profile without confirmation
Severity:	Major
Versions affected:	< 1.8.6, <1.9.2
Reported by:	multiple external reports
Issue no.:	MDL-13811
Solution:	upgrade to 1.9.2 or 1.8.6. Patch is provided at MDL-13811

Description:

In previous versions of Moodle, a user who is already authenticated could change their own email address without having to prove they could access that new email account. In Moodle 1.8.6 and 1.9.2 a new setting called emailchangeconfirmation (default: on) now forces all users on the site to go through a confirmation process whenever they want to change their email account. Moodle 1.6.x and 1.7.x sites have not had this new feature added yet - we highly recommend upgrading to 1.9.x if this concerns you.

Topic:	accessible profiles of deleted users
Severity:	Major
Versions affected:	<1.6.7, <1.7.5, <1.8.6, <1.9.2
Reported by:	Debbie McDonald and Mauno Korpelainen
Issue no.:	MDL-15516
Solution:	upgrade to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/user/view.php?r1=1.123.2.8&r2=1.123.2.9

Description:

Profiles of deleted users were accessible which allowed spammers to abuse user profiles on some sites. Also please make sure that you have "Force users to login for profiles" set as enabled in admin settings if your site allows registering of new users.

Topic:	potential sql injection in events handling code
Severity:	Minor
Versions affected:	1.9.0 and 1.9.1 only
Reported by:	internal
Issue no.:	MDL-15552
Solution:	upgrade to 1.9.2 or any recent nightly; upgrade needed only if custom code uses Events API

Description:

During internal review it was discovered that the new Events framework might be vulnerable to sql attacks. This code is not currently used within Moodle core, but sites 3rd party modifications could be vulnerable. If you have any code using Events API please read the details in http://tracker.moodle.org/browse/MDL-9983 on how to update your code to comply with this change. Please note that the changes in 1.9.2 are not backwards compatible.

Topic:	CSRF (Cross-site Request Forgery) on Moodle edit profile page
Severity:	Major
Versions affected:	<1.6.7, <1.7.5
Reported by:	Amir Azam and Adrian Pastor of ProCheckUp Ltd. (www.procheckup.com)
Issue no.:	MDL-15450
Solution:	upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch http://cvs.moodle.org/moodle/user/edit.php?r1=1.112.2.4.2.1&r2=1.112.2.4.2.2 + http://cvs.moodle.org/moodle/user/Attic/edit.html?r1=1.88.2.3&r2=1.88.2.3.2.1

Description:

ProCheckup discovered that user profile page in 1.6.x and 1.7.x sites are vulnerable to CSRF (Cross-site Request Forgery) attacks. Versions 1.8 and above are not vulnerable due to to increased protection the forms library enforces. We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.