Date: Tue, 27 Apr 2010 22:06:59 +0100 From: Dan Poltawski <talktodan@...il.com> To: oss-security@...ts.openwall.com Subject: CVS request - Moodle Hello, Version 1.9.8 of Moodle has been released, fixing multiple security issues requiring CVE identifiers. These are detailed on http://moodle.org/security/ ========================================== MSA-10-0001: Topic: Vulnerability in KSES text cleaning Severity: Major Versions affected: <1.8.12 and <1.9.8 Reported by: Sam Marshall Issue no.: MDL-21026 Solution: upgrade to 1.8.12 or 1.9.8 Workaround: apply patch http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.1349&r2=1.1350 Description: Sam Marshall discovered a serious vulnerability in the KSES html text cleaning library that Moodle includes, please upgrade all sites in order to prevent XSS attacks from any registered user. ========================================== MSA-10-0002: Topic: XSS vulnerabilty in the phpcas module Severity: Major (if using CAS) Versions affected: <1.8.12 and <1.9.8 Reported by: Joachim Fritschi Issue no.: MDL-21802 Solution: upgrade to 1.8.12 or 1.9.8 Workaround: use CAS/Client.php from latest release Description: We have backported a fix for a security problem fixed in recent version of PHP CAS client library - http://www.ja-sig.org/issues/browse/PHPCAS-52. The problem can be exploited only if CAS authentication is enabled and used on your site. ========================================== MSA-10-0003: Topic: Disclosure of full user names Severity: Minor - privacy Versions affected: <1.8.12 and <1.9.8 Reported by: Klaus Kirchner Issue no.: MDL-21830 Solution: upgrade to 1.8.12 or 1.9.8 Workaround: patch http://cvs.moodle.org/moodle/user/view.php?r1=22.214.171.124&r2=126.96.36.199 Description: Klaus Kirchner identified a problem in the course profile page which allowed ordinary users to find out names of other users - see http://moodle.org/mod/forum/discuss.php?d=145967 for more details. ========================================== MSA-10-0004: Topic: Improved access control in course restore Severity: Minor Versions affected: and <1.9.8 Reported by: multiple reporters Issue no.: MDL-16658, MDL-19233 Solution: upgrade to 1.9.8 Workaround: none Description: The restoring of courses sometimes resulted in creation of new roles - that code should be now more reliable. Please note that all the users that are allowed to restore backup files must be trustworthy. ========================================== MSA-10-0005: Topic: Incorrect validation of forms data Severity: Critical Versions affected: <1.8.12 and <1.9.8 Reported by: Sascha Herzog Issue no.: MDL-21767 Solution: upgrade to 1.8.12 or 1.9.8 Workaround: patch http://cvs.moodle.org/moodle/lib/form/selectgroups.php?r1=188.8.131.52&r2=184.108.40.206 http://cvs.moodle.org/moodle/lib/form/select.php?r1=220.127.116.11&r2=18.104.22.168 Description: Sascha Herzog discovered a SQL injection exploit in several forms, this was caused by incorrect data validation in some forms elements. ========================================== MSA-10-0006: Topic: SQL injection in Wiki module Severity: Critical Versions affected: <1.8.12 and <1.9.8 Reported by: Matthew Slowe Issue no.: MDL-21818 Solution: upgrade to 1.8.12 or 1.9.8 Workaround: patch http://cvs.moodle.org/moodle/mod/wiki/view.php?r1=22.214.171.124&r2=126.96.36.199 remove mod/wiki/* if wiki module not used Description: Matthew Slowe discovered that the data passed to add_to_log() function in wiki module is not sanitised properly, this could allow SQL injection type attacks if there are any instances of wiki in your courses. ========================================== MSA-10-0007: Topic: Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine Severity: Major (if global search enabled) Versions affected: <1.8.12 and <1.9.8 Reported by: Sascha Herzog Issue no.: MDL-21649 Solution: upgrade to 1.8.12 or 1.9.8 Workaround: patch http://cvs.moodle.org/moodle/search/query.php?r1=188.8.131.52&r2=184.108.40.206 Description: Sascha Herzog found a problem in the handling of user submitted data in global search forms. This problem is exploitable only when global search is enabled. Please note that the global search feature is still listed as experimental and is disabled by default. ========================================== MSA-10-0008: Topic: Persistent XSS when using Login-as feature Severity: Major Versions affected: <1.8.12 and <1.9.8 Reported by: Sascha Herzog Issue no.: MDL-21769 Solution: upgrade to 1.8.12 or 1.9.8 Workaround: see Version control tab in tracker issue Description: Users may trick admins into using the "Login as" feature to edit some existing posts which contain XSS exploit code. ========================================== MSA-10-0009: Topic: Session fixation prevention now turned on by default Severity: Major Versions affected: <1.8.12 and <1.9.8 Reported by: Sascha Herzog Issue no.: MDL-21788 Solution: turn on session id regeneration Description: Enabling of "Regenerate session id during login" setting is now strongly recommended for all production servers. It is now compatible with all official authentication plugins including mnet. thanks, Dan Poltawski Download attachment "signature.asc" of type "application/pgp-signature" (836 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.