Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Nov 2012 09:59:15 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications have now been made public. Thanks 
to OSS members for their cooperation.

=======================================================================
MSA-12-0057: Access issue through repository

Topic:             User B is able to see and use Dropbox of User A
                    within Dropbox Repository File Picker
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Alexander Bias
Issue no.:         MDL-29872, MDL-36366
CVE Identifier:    CVE-2012-5471
Workaround:        Turn off Dropbox repository
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872
Description:
Users who logged out of Dropbox through the Moodle repository were
disconnected in Moodle, but the user's access to Dropbox was still
allowed while their browser session continued.

=======================================================================
MSA-12-0058: Possible form data manipulation issue

Topic:             add setConstant() for hardfreeze element
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+
Reported by:       Rossiani Wijaya
Issue no.:         MDL-32785
CVE Identifier:    CVE-2012-5472
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785
Description:
Frozen form elements were open to manipulation when form data was
submitted.

=======================================================================
MSA-12-0059: Information leak in Database activity module

Topic:             Members of seperate groups can see Database activity
                    entries for other groups
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Richard Meyer
Issue no.:         MDL-34448
CVE Identifier:    CVE-2012-5473
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448
Description:
Within the Database activity module, when separate groups were used,
members of one group were able to see entries created by members of
another group by completing an advanced search.

=======================================================================
MSA-12-0060: Cross-site scripting vulnerability in YUI2

Topic:             yui2 swf vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
                    1.9 to 1.9.18+
Reported by:       Petr Škoda, Jenny Donnelly
Issue no.:         MDL-36346
CVE Identifier:    CVE-2012-5475
Workaround:        Delete YUI SWF files
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
A XSS vulnerability has been discovered in some YUI 2 .swf files from
versions 2.4.0 through 2.9.0. This defect allows JavaScript injection
exploits to be created against domains that host affected YUI .swf
files.

=======================================================================
MSA-12-0061: Remote code execution through Portfolio API

Topic:             Portfolio plugin: Local File Inclusion (LFI) and the
                    possibility of Remote Command Execution (RCE).
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Cristobal Leiva
Issue no.:         MDL-33791
CVE Identifier:    CVE-2012-5479
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
It was possible, when Moodle data is stored within the Web accessible
directory, to manipulate the Portfolio API callbacks to execute a file
uploaded by a user.

=======================================================================
MSA-12-0062: Information leak in Database activity module

Topic:             Any user (including a guest) can view entries in
                    database activity when more entries are required
                    before viewing other participants entries
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Tabitha Roder
Issue no.:         MDL-35558
CVE Identifier:    CVE-2012-5480
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558
Description:
The setting requiring that a number of entries be posted to a Database
activity before others' entries could be viewed could be circumvented
using an advanced search.

=======================================================================
MSA-12-0063: Information leak in Check Permissions page

Topic:             Check Permissions page displays entire user base
                    without moodle/role:manage capability
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+
Reported by:       Jody Steele
Issue no.:         MDL-35381
CVE Identifier:    CVE-2012-5481
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381
Description:
The Check Permissions page was allowing non-admin users to see the
capabilities of all users, not just users in a course/category.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.