Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Mar 2013 14:03:46 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications are now public. Thanks to OSS 
members for their cooperation.

=======================================================================
MSA-13-0011: Calendar subscription capability issue

Description:       Users without appropriate capabilities were shown
                    controls to update calendar subscriptions, even
                    though the were not able to modify subscriptions.
Issue summary:     Student should not be able to see the subscription
                    which they cant manage
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1
Versions fixed:    2.4.2
Reported by:       Ankit Agarwal
Issue no.:         MDL-37338
CVE Identifier:    CVE-2013-1829
Workaround:        Avoid course and group calendar subscriptions
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37338

=======================================================================
MSA-13-0012: Information leak in course profiles

Description:       Course profiles were accessible without logging in
                    as a real user
Issue summary:     Course profiles open to google even when
                    forceloginforprofiles is enabled
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Helen Foster
Issue no.:         MDL-37481
CVE Identifier:    CVE-2013-1830
Workaround:        Leave autologinguests and opentogoogle settings
                    disabled (default)
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37481

=======================================================================
MSA-13-0013: Server information revealed through exception messages

Description:       Exception messages were revealing server file
                    system information
Issue summary:     Server system path revealed through exception
                    messages
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Mark Nielsen
Issue no.:         MDL-36901
CVE Identifier:    CVE-2013-1831
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36901

=======================================================================
MSA-13-0014: Password revealed in WebDav repository

Description:       The password for a WebDav repository was not hidden
                    on the repository configuration form
Issue summary:     WebDav repository password field is plain text
                    allowing admin to see password
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       John Holmes
Issue no.:         MDL-37681
CVE Identifier:    CVE-2013-1832
Workaround:        Avoid WebDav repositories requiring personal
                    passwords
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37681

=======================================================================
MSA-13-0015: Cross-site scripting issue in Filepicker

Description:       It was possible to upload files with filenames
                    containing HTML and JavaScript
Issue summary:     Code injection (XSS) possible in File Picker
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Frédéric Massart
Issue no.:         MDL-37507
CVE Identifier:    CVE-2013-1833
Workaround:        Avoid the filesystem repository on Linux file
                    systems and the Google Docs/Drive repository
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37507

=======================================================================
MSA-13-0016: External Entity Injection through Zend library

Description:       Through the Zend library, clients of Moodle Web
                    services were potentially able to reveal files
                    on the server
Issue summary:     Zend XmlRpc: Local file disclosure via XXE injection
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Frédéric Massart
Issue no.:         MDL-34284
CVE Identifier:    CVE-2012-3363
Workaround:        Disable Web services
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284

=======================================================================
MSA-13-0017: Form manipulation issue in notes

Description:       By manipulating form elements it was possible to
                    assign a note to a different user during editing
Issue summary:     Go to the edit notes form, change userid in the html
                    with firebug => the targeted note user is changed
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (1.9 onwards)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Jérôme Mouneyrac
Issue no.:         MDL-37411
CVE Identifier:    CVE-2013-1834
Workaround:        Disable notes
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411

=======================================================================
MSA-13-0018: Personal information leak through repositories

Description:       Users able to use "login as" were able to see the
                    personal repository content of the user they were
                    impersonating
Issue summary:     Admin users logged in as another user have access to
                    the content of their external repositories
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Andrew Nicols
Issue no.:         MDL-36426
CVE Identifier:    CVE-2013-1835
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36426

=======================================================================
MSA-13-0019: Unauthorised settings editing through WebDav repository

Description:       Any user able to view WebDav repositories was able
                    to view, edit and delete site-wide WebDav
                    repositories
Issue summary:     Site-wide WebDAV repository instances options are
                    accessible
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Frédéric Massart
Issue no.:         MDL-37852
CVE Identifier:    CVE-2013-1836
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ