Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 29 Apr 2010 15:06:39 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVS request - Moodle

Hi Steve,

I don't have enough IDs to properly deal with this one and have any left over.
Can MITRE take it.

Thanks.

-- 
    JB


----- "Dan Poltawski" <talktodan@...il.com> wrote:

> Hello,
> 
> Version 1.9.8 of Moodle has been released, fixing multiple security
> issues
> requiring CVE identifiers.
> 
> These are detailed on http://moodle.org/security/
> 
> ==========================================
> MSA-10-0001: 
> Topic: Vulnerability in KSES text cleaning
> Severity: Major
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Sam Marshall
> Issue no.: MDL-21026
> Solution: upgrade to 1.8.12 or 1.9.8
> Workaround: apply patch
> http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.1349&r2=1.1350
> Description: Sam Marshall discovered a serious vulnerability in the
> KSES html
> text cleaning library that Moodle includes, please upgrade all sites
> in order
> to prevent XSS attacks from any registered user.
> 
> ==========================================
> MSA-10-0002: 
> Topic: XSS vulnerabilty in the phpcas module
> Severity: Major (if using CAS)
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Joachim Fritschi
> Issue no.: MDL-21802
> Solution: upgrade to 1.8.12 or 1.9.8
> Workaround: use CAS/Client.php from latest release
> 
> Description: We have backported a fix for a security problem fixed in
> recent
> version of PHP CAS client library -
> http://www.ja-sig.org/issues/browse/PHPCAS-52. The problem can be
> exploited
> only if CAS authentication is enabled and used on your site.
> 
> ==========================================
> MSA-10-0003: 
> Topic: Disclosure of full user names
> Severity: Minor - privacy
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Klaus Kirchner
> Issue no.: MDL-21830
> Solution: upgrade to 1.8.12 or 1.9.8
> Workaround: patch
> http://cvs.moodle.org/moodle/user/view.php?r1=1.168.2.28&r2=1.168.2.29
> 
> Description: Klaus Kirchner identified a problem in the course profile
> page
> which allowed ordinary users to find out names of other users - see
> http://moodle.org/mod/forum/discuss.php?d=145967 for more details.
> 
> ==========================================
> MSA-10-0004: 
> Topic: Improved access control in course restore
> Severity: Minor
> Versions affected: and <1.9.8
> Reported by: multiple reporters
> Issue no.: MDL-16658, MDL-19233
> Solution: upgrade to 1.9.8
> Workaround: none
> 
> Description: The restoring of courses sometimes resulted in creation
> of new
> roles - that code should be now more reliable. Please note that all
> the users
> that are allowed to restore backup files must be trustworthy.
> 
> ==========================================
> MSA-10-0005: 
> Topic: Incorrect validation of forms data
> Severity: Critical
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Sascha Herzog
> Issue no.: MDL-21767
> Solution: upgrade to 1.8.12 or 1.9.8
> Workaround: patch
> 
> http://cvs.moodle.org/moodle/lib/form/selectgroups.php?r1=1.2.4.2&r2=1.2.4.3
> http://cvs.moodle.org/moodle/lib/form/select.php?r1=1.10.4.2&r2=1.10.4.3
> Description: Sascha Herzog discovered a SQL injection exploit in
> several
> forms, this was caused by incorrect data validation in some forms
> elements.
> 
> ==========================================
> MSA-10-0006: 
> Topic: SQL injection in Wiki module
> Severity: Critical
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Matthew Slowe
> Issue no.: MDL-21818
> Solution: upgrade to 1.8.12 or 1.9.8
> Workaround: patch
> 
> http://cvs.moodle.org/moodle/mod/wiki/view.php?r1=1.76.2.6&r2=1.76.2.7
> remove mod/wiki/* if wiki module not used
> Description: Matthew Slowe discovered that the data passed to
> add_to_log()
> function in wiki module is not sanitised properly, this could allow
> SQL
> injection type attacks if there are any instances of wiki in your
> courses.
> 
> ==========================================
> MSA-10-0007: 
> Topic: Reflective Cross Site Scripting (XSS) in the Moodle Global
> Search
> Engine
> Severity: Major (if global search enabled)
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Sascha Herzog
> Issue no.: MDL-21649
> Solution: upgrade to 1.8.12 or 1.9.8
> Workaround: patch
> 
> http://cvs.moodle.org/moodle/search/query.php?r1=1.16.2.10&r2=1.16.2.11
> Description: Sascha Herzog found a problem in the handling of user
> submitted
> data in global search forms. This problem is exploitable only when
> global
> search is enabled. Please note that the global search feature is still
> listed
> as experimental and is disabled by default.
> 
> ==========================================
> MSA-10-0008: 
> Topic: Persistent XSS when using Login-as feature
> Severity: Major 
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Sascha Herzog
> Issue no.: MDL-21769
> Solution: upgrade to 1.8.12 or 1.9.8
> Workaround: see Version control tab in tracker issue
> 
> Description: Users may trick admins into using the "Login as" feature
> to edit
> some existing posts which contain XSS exploit code.
> 
> ==========================================
> MSA-10-0009: 
> Topic: Session fixation prevention now turned on by default
> Severity: Major
> Versions affected: <1.8.12 and <1.9.8
> Reported by: Sascha Herzog
> Issue no.: MDL-21788
> Solution: turn on session id regeneration
> 
> Description: Enabling of "Regenerate session id during login" setting
> is now
> strongly recommended for all production servers. It is now compatible
> with all
> official authentication plugins including mnet.
> 
> thanks,
> 
> Dan Poltawski

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.