Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 17 Nov 2014 15:13:22 +0800
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security issues are now public

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Sincerely,
Marina Glancy
Development Process Manager
Moodle HQ


==============================================================================
MSA-14-0035: Headers not added to some AJAX scripts

Description:       Without forcing encoding, it was possible that UTF7
                   characters could be used to force cross-site scripts to
                   AJAX scripts (although this is unlikely on modern browsers
                   and on most Moodle pages).
Issue summary:     Some ajax scripts and hand crafted pages do not send proper
                   encoding header
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Petr Skoda
Issue no.:         MDL-47966
CVE identifier:    -
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966

==============================================================================
MSA-14-0036: XSS in mapcourse script in Feedback module

Description:       Last search string in Feedback module was not escaped in
                   the search input field.
Issue summary:     XSS through $searchcourse in mod/feedback/mapcourse.php
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Petr Skoda
Issue no.:         MDL-47865
Workaround:        Disable feedback module or remove
                   mod/feedback:mapcourse capability from users
CVE identifier:    CVE-2014-7830
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865

==============================================================================
MSA-14-0037: Weak temporary password generation

Description:       The word list for temporary password generation was short
                   meaning the pool of possible passwords was not big enough.
Issue summary:     generate_password() is insecure and in use
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Aaron Barnes
Issue no.:         MDL-47050
Workaround:        Enable password policy
CVE identifier:    CVE-2014-7845
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050

==============================================================================
MSA-14-0038: Hidden grade information exposed by web services

Description:       User without capability to view hidden grades could
                   retrieve grades using web services.
Issue summary:     get_grades webservice exposes hidden grades to students
Severity/Risk:     Serious
Versions affected: 2.7 and 2.7.2
Versions fixed:    2.8, 2.7.3
Reported by:       Damyon Wiese
Issue no.:         MDL-47766
Workaround:        Do not enable core_grades_get_grades in web services
CVE identifier:    CVE-2014-7831
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766

==============================================================================
MSA-14-0039: Insufficient access check in LTI module

Description:       Capability checks in the LTI module only checked access to
                   the course and not to the activity.
Issue summary:     mod/lti/launch.php lacks access control
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Petr Skoda
Issue no.:         MDL-47921
CVE identifier:    CVE-2014-7832
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921

==============================================================================
MSA-14-0040: Information leak in Database activity module

Description:       Group-level entries in Database activity module became
                   visible to users in other groups after being edited by
                   a teacher.
Issue summary:     Group ID of Database record overwritten by 0
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Pamela Verret
Issue no.:         MDL-47697
CVE identifier:    CVE-2014-7833
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697

==============================================================================
MSA-14-0041: Lack of capability check in tags list access

Description:       Unprivileged users could access the list of available tags
                   in the system.
Issue summary:     Tag autocomplete AJAX page lacks capability check
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Frédéric Massart
Issue no.:         MDL-47965
CVE identifier:    CVE-2014-7846
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965

==============================================================================
MSA-14-0042: Lack of access check in IP lookup functionality

Description:       The script used to geo-map IP addresses was available to
                   unauthenticated users increasing server load when used by
                   other parties.
Issue summary:     iplookup is available to unauthenticated guests
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Dan Poltawski
Issue no.:         MDL-47321
CVE identifier:    CVE-2014-7847
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321

==============================================================================
MSA-14-0043: Lack of group check in web service for Forum

Description:       When using the web service function  for Forum discussions,
                   group permissions were not checked.
Issue summary:     forum_get_discussions web service misses group
                   permissions check
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5
Versions fixed:    2.8, 2.7.3 and 2.6.6
Reported by:       Petr Skoda
Issue no.:         MDL-45303
Workaround:        Do not enable web service function
                   mod_forum_get_discussions
CVE identifier:    CVE-2014-7834
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303

==============================================================================
MSA-14-0044: Hardware path disclosed in the error message

Description:       By directly accessing an internal file, an unauthenticated
                   user can be shown an error message containing the file system
                   path of the Moodle install.
Issue summary:     PHPunit: lib/phpunit/bootstrap.php leaks system info
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5
Versions fixed:    2.8, 2.7.3 and 2.6.6
Reported by:       Sam Marshall
Issue no.:         MDL-47287
Workaround:        Prevent web access to this file in web server directives
CVE identifier:    CVE-2014-7848
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287

==============================================================================
MSA-14-0045: XSS file upload possible through web service

Description:       If web service with file upload function was available,
                   user could upload XSS file to his profile picture
                   area.
Issue summary:     XSS through WS user file upload
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.2 and 2.6 to 2.6.5
Versions fixed:    2.8, 2.7.3 and 2.6.6
Reported by:       Petr Skoda
Issue no.:         MDL-47868
Workaround:        Do not enable "Can upload files" in web services
                   especially to untrusted users
CVE identifier:    CVE-2014-7835
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868

==============================================================================
MSA-14-0046: CSRF in LTI module

Description:       Two files in the LTI module lacked a session key check
                   potentially allowing cross-site request forgery.
Issue summary:     CSRF in mod/lti/request_tool.php and
                   mod/lti/instructor_edit_tool_type.php
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Petr Skoda
Issue no.:         MDL-47924
CVE identifier:    CVE-2014-7836
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924
==============================================================================
MSA-14-0047: Possible data loss in Wiki activity

Description:       By tweaking URLs, users who were able to delete pages in at
                   least one Wiki activity in the course were able to delete
                   pages in other Wiki pages in the same course.
Issue summary:     unvalidated parameters in mod/wiki/admin.php
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Petr Skoda
Issue no.:         MDL-47949
CVE identifier:    CVE-2014-7837
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47949

==============================================================================
MSA-14-0048: CSRF in forum tracking toggle

Description:       Set tracking script in the Forum module lacked a session
                   key check potentially allowing cross-site request forgery.
Issue summary:     CSRF in mod/forum/settracking.php
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Petr Skoda
Issue no.:         MDL-48019
CVE identifier:    CVE-2014-7838
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48019

==============================================================================
MSA-14-0049: Possible to print arbitrary message to user by modifying URL

Description:       Session key check was missing on return page in module LTI
                   allowing attacker to include arbitrary message in URL
                   query string
Issue summary:     mod/lti/return.php allows attacker to print arbitrary message
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier
                   unsupported versions
Versions fixed:    2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:       Petr Skoda
Issue no.:         MDL-47927
CVE identifier:    -
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927

==============================================================================

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.