Date: Mon, 9 Feb 2015 10:55:49 +0800 From: Marina Glancy <marina@...dle.com> To: oss-security@...ts.openwall.com Subject: Moodle security issue made public Hi Kurt, we have still waited for a week after the release with the announcing of the security issue this time but we are actively discussing the change of process starting from the next release. The following security notifications have now been made public. Thanks to OSS members for their cooperation. It also looks like OSS has accidentally issued us another identifier: CVE-2015-1493. I'm letting you know that I have never used it in our announcements MSA-15-0009: Directory Traversal Attack possible through some files serving JS Description: Parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS are affected but especially vulnerable are Windows servers Issue summary: Preauthenticated Local File Disclosure Severity/Risk: Serious Versions affected: 2.8 to 2.8.2, 2.7 to 2.7.4, 2.6 to 2.6.7 and earlier unsupported versions Versions fixed: 2.8.3, 2.7.5 and 2.6.8 Reported by: Emiel Florijn Issue no.: MDL-48980 and MDL-48990 Workaround: Prevent access to URLs containing "../" or "..\" in web server configuration CVE identifier: CVE-2015-0246 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980 Marina Glancy Development Process Manager marina@...dle.com +61894674167 | moodle.com The world's open source learning platform
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ