Security announcements | Moodle.org

Topic:	Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)
Severity:	Major
Versions affected:	1.9.0, 1.9.1
Reported by:	internal
Issue no.:	MDL-15079
Solution:	upgrade to 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/group/members.php?r1=1.3.2.4&r2=1.3.2.5

Description:

We have discovered that systems running on MSSQL or Oracle databases are vulnerable to non-persistent cross-site scripting (XSS) attack. This vulnerability was caused by incorrect escaping when using database engines which require sybase style quoting (MSSQL and Orcale Only).

Topic:	Potential webroot disclosures warning
Severity:	Minor
Versions affected:	all version
Reported by:	Richard Brain of ProCheckUp Ltd. (www.procheckup.com)
Issue no.:	MDL-15413
Solution:	make sure display_errors is disabled in PHP configuration; 1.8.6 and 1.9.2 contains new warning for administrators

Description:

ProCheckup discovered that several scripts display errors if display_errors enabled in PHP configuration. This problem will be fully fixed in later Moodle versions because it requires modification of many files and review of all code from upstream, in the meantime please make sure you server is configured properly - see http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors

We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.

Topic:	sql injection in HotPot module
Severity:	Major
Versions affected:	<1.6.7, <1.7.5, <1.8.6, <1.9.2
Reported by:	internal
Issue no.:	MDL-15184
Solution:	upgrade to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/mod/hotpot/report.php?r1=1.8.6.1&r2=1.8.6.2

Description:

We have discovered that Hotpot module code in report.php was vulnerable to sql injection attacks.

Topic:	Persistent Cross-site Scripting (XSS) on blog entry title parameter
Severity:	Major
Versions affected:	<1.6.7, <1.7.5
Reported by:	Adrian Pastor and Amir Azam of ProCheckUp Ltd. (www.procheckup.com)
Issue no.:	MDL-15392
Solution:	upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch http://cvs.moodle.org/moodle/blog/lib.php?r1=1.38.6.3&r2=1.38.6.2

Description:

ProCheckup discovered that 1.6.x and 1.7.x sites with enabled blogs are vulnerable to persistent Cross-site Scripting (XSS) attacks through blog entry titles. We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.

Topic:	KSES related issues
Severity:	Highly Critical
Versions affected:	<1.6.7, <1.7.5, <1.8.5
Reported by:	Łukasz Pilorz, Allegro.pl
Issue no.:	MDL-13705
Solution:	update to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent weekly build or 1/ use latest cvs version of /lib/kses.php - 1.6.x, 1.7.x, 1.8.x 2/ and patch /lib/weblib.php using - 1.6.x, 1.7.x, 1.8.x
Posted:	Tue, 15 Apr 2008 21:43:49 GMT

Description:

During internal code review performed by Allegro.pl, some weaknesses were discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses are part of many popular projects, including WordPress, Moodle, Drupal, eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from cross-site scripting to code execution, depending on implementation.

We received notice in advance from Łukasz Pilorz who later helped us to fix this and found another related problem in Moodle code.

There is a new option "Use HTML Purifier" in 1.9, it uses a different whitelisting technique which is considered to be much safer than KSES.

Note: severity of this issue was updated because automated exploit script was released to public and several sites were already compromised.

(Edited by Petr Škoda (škoďák) - original submission Tuesday, 15 April 2008, 9:43 PM)

Topic:	Imported phpMyAdmin 2.11.5.1
Severity:	Low
Versions affected:	All previous versions (only if this module installed)
Reported by:	phpMyAdmin security announcements
Issue no.:	MDL-14112
Solution:	Update admin/mysql/ using cvs or download latest version from http://moodle.org/mod/data/view.php?d=13&rid=448

Topic:	Moodle cookie path can not be restricted
Severity:	Low
Versions affected:	<1.8.4
Reported by:	Kevin
Issue no.:	MDL-11927
Solution:	Upgrade to 1.8.4 or latest stable snapshot. Or use patch: http://cvs.moodle.org/moodle/lib/setup.php?r1=1.198.2.4&r2=1.198.2.5 http://cvs.moodle.org/moodle/lib/moodlelib.php?r1=1.837.2.76&r2=1.837.2.77

Description:

Starting with 1.8.4 version it is possible to limit the scope of Moodle session cookies through sessioncookiepath setting. Please note that using the same server name (ex: www.example.com) for Moodle installation and untrusted content (ex: www.example.com/~somestudent") not recommended.

Topic:	Bypassing restriction on multiple file uploads
Severity:	Low
Versions affected:	<1.7.x <1.8.4
Reported by:	Elites0ft Administrator
Issue no.:	MDL-11783
Solution:	Upgrade to 1.8.4 or latest stable snapshot. In case of 1.7.x apply patch from http://cvs.moodle.org/moodle/mod/assignment/type/upload/assignment.class.php?r1=1.32.2.2&r2=1.32.2.3

Topic:	XSS in install.php before config.php created - no action required on working installations
Severity:	Very low
Versions affected:	1.5.x <1.6.6 <1.7.4 <1.8.4
Reported by:	Hanno Boeck (schokokeks)
Issue no.:	MDL-12869
Solution:	It is recommended to finish installation after uploading of Moodle files. Always use latest stable version for initial installation.

Topic:	Insufficient access control in Login as feature
Severity:	Critical
Versions affected:	1.8-1.8.3
Reported by:	Johannes Kuhn
Issue no.:	MDL-12911
Solution:	upgrade to 1.8.4
Patch:	MOODLE_18_STABLE http://cvs.moodle.org/moodle/course/loginas.php?r1=1.44.2.1&r2=1.44.2.2

Description:

Critical security problem was discovered in course/loginas.php script. Please make a full update or at least replace this file with latest version from 1.8.4.