Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 27 Apr 2010 22:06:59 +0100
From: Dan Poltawski <talktodan@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVS request - Moodle

Hello,

Version 1.9.8 of Moodle has been released, fixing multiple security issues
requiring CVE identifiers.

These are detailed on http://moodle.org/security/

==========================================
MSA-10-0001: 
Topic: Vulnerability in KSES text cleaning
Severity: Major
Versions affected: <1.8.12 and <1.9.8
Reported by: Sam Marshall
Issue no.: MDL-21026
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: apply patch
http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.1349&r2=1.1350
Description: Sam Marshall discovered a serious vulnerability in the KSES html
text cleaning library that Moodle includes, please upgrade all sites in order
to prevent XSS attacks from any registered user.

==========================================
MSA-10-0002: 
Topic: XSS vulnerabilty in the phpcas module
Severity: Major (if using CAS)
Versions affected: <1.8.12 and <1.9.8
Reported by: Joachim Fritschi
Issue no.: MDL-21802
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: use CAS/Client.php from latest release

Description: We have backported a fix for a security problem fixed in recent
version of PHP CAS client library -
http://www.ja-sig.org/issues/browse/PHPCAS-52. The problem can be exploited
only if CAS authentication is enabled and used on your site.

==========================================
MSA-10-0003: 
Topic: Disclosure of full user names
Severity: Minor - privacy
Versions affected: <1.8.12 and <1.9.8
Reported by: Klaus Kirchner
Issue no.: MDL-21830
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: patch
http://cvs.moodle.org/moodle/user/view.php?r1=1.168.2.28&r2=1.168.2.29

Description: Klaus Kirchner identified a problem in the course profile page
which allowed ordinary users to find out names of other users - see
http://moodle.org/mod/forum/discuss.php?d=145967 for more details.

==========================================
MSA-10-0004: 
Topic: Improved access control in course restore
Severity: Minor
Versions affected: and <1.9.8
Reported by: multiple reporters
Issue no.: MDL-16658, MDL-19233
Solution: upgrade to 1.9.8
Workaround: none

Description: The restoring of courses sometimes resulted in creation of new
roles - that code should be now more reliable. Please note that all the users
that are allowed to restore backup files must be trustworthy.

==========================================
MSA-10-0005: 
Topic: Incorrect validation of forms data
Severity: Critical
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21767
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: patch

http://cvs.moodle.org/moodle/lib/form/selectgroups.php?r1=1.2.4.2&r2=1.2.4.3
http://cvs.moodle.org/moodle/lib/form/select.php?r1=1.10.4.2&r2=1.10.4.3
Description: Sascha Herzog discovered a SQL injection exploit in several
forms, this was caused by incorrect data validation in some forms elements.

==========================================
MSA-10-0006: 
Topic: SQL injection in Wiki module
Severity: Critical
Versions affected: <1.8.12 and <1.9.8
Reported by: Matthew Slowe
Issue no.: MDL-21818
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: patch

http://cvs.moodle.org/moodle/mod/wiki/view.php?r1=1.76.2.6&r2=1.76.2.7
remove mod/wiki/* if wiki module not used
Description: Matthew Slowe discovered that the data passed to add_to_log()
function in wiki module is not sanitised properly, this could allow SQL
injection type attacks if there are any instances of wiki in your courses.

==========================================
MSA-10-0007: 
Topic: Reflective Cross Site Scripting (XSS) in the Moodle Global Search
Engine
Severity: Major (if global search enabled)
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21649
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: patch

http://cvs.moodle.org/moodle/search/query.php?r1=1.16.2.10&r2=1.16.2.11
Description: Sascha Herzog found a problem in the handling of user submitted
data in global search forms. This problem is exploitable only when global
search is enabled. Please note that the global search feature is still listed
as experimental and is disabled by default.

==========================================
MSA-10-0008: 
Topic: Persistent XSS when using Login-as feature
Severity: Major 
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21769
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: see Version control tab in tracker issue

Description: Users may trick admins into using the "Login as" feature to edit
some existing posts which contain XSS exploit code.

==========================================
MSA-10-0009: 
Topic: Session fixation prevention now turned on by default
Severity: Major
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21788
Solution: turn on session id regeneration

Description: Enabling of "Regenerate session id during login" setting is now
strongly recommended for all production servers. It is now compatible with all
official authentication plugins including mnet.

thanks,

Dan Poltawski

Download attachment "signature.asc" of type "application/pgp-signature" (836 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.