oss-sec mailing list archives

Moodle security notifications public

From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 21 Jan 2013 10:20:15 +0800

The following security notifications have now been made public. Thanksto OSS members for their cooperation.


=======================================================================
MSA-13-0001: Security issue in Google Spellchecker in TinyMCE

Description:       A security issue was reported by TinyMCE. This fix
                   has been applied to Moodle.
Issue summary:     import tinymce spellchecker 2.0.6.1
Severity/Risk:     Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by:       Petr Škoda
Issue no.:         MDL-37283
CVE Identifier:    CVE-2012-6112
Workaround:        Disable spellchecker plugin

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283


=======================================================================
MSA-13-0002: Capability issue with Outcome editing

Description:       Users without the appropriate capability were able
                   to set a custom outcome they had created as a
                   standard site-wide capability when editing that
                   outcome.
Issue summary:     Teachers can set Outcomes to be Standard when
                   re-editing
Severity/Risk:     Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
                   1.9 to 1.9.19
Reported by:       Elena Ivanova
Issue no.:         MDL-27619
CVE Identifier:    CVE-2012-6098

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27619


=======================================================================
MSA-13-0003: Potential server file access through backup restoration

Description:       Paths in backups to restorable files were not being
                   sufficiently validated and could be manipulated to
                   gain access to files on the server.
Issue summary:     moodle1 backup converter path not properly validated
Severity/Risk:     Serious
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by:       Dan Poltawski
Issue no.:         MDL-36977
CVE Identifier:    CVE-2012-6099

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977


=======================================================================
MSA-13-0004: Information leak through activity report

Description:       Under certain circumstances, when last access is
                   included in a list of fields forced to be hidden,
                   the Activity report would still reveal users' last
                   access.
Issue summary:     Activity Report showing lastaccess even if it is a
                   hidden field
Severity/Risk:     Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by:       Jody Steele
Issue no.:         MDL-33340
CVE Identifier:    CVE-2012-6100

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33340


=======================================================================
MSA-13-0005: Potential phishing attack through URL redirects

Description:       Insufficient filtering of return URLs on some pages
                   was allowing redirects to sites outside Moodle.
Issue summary:     Open redirect issues
Severity/Risk:     Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by:       Simon Coggins
Issue no.:         MDL-35991
CVE Identifier:    CVE-2012-6101

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35991


=======================================================================
MSA-13-0006: Potential information leak in Assignment module

Description:       Through URL manipulation, students were able to view
                   feedback comments provided on other student's
                   submissions.
Issue summary:     Assignment comment permissions are not being
                   validated
Severity/Risk:     Serious
Versions affected: 2.4, 2.3 to 2.3.3+
Reported by:       Dan Poltawski
Issue no.:         MDL-37244
CVE Identifier:    CVE-2012-6102

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37244


=======================================================================
MSA-13-0007: Potential exploit in messaging

Description:       The messaging system was not checking the user's
                   session correctly when messages are sent.
Issue summary:     Course message sending can be exploited by CSRF
Severity/Risk:     Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by:       Andrew Nicols
Issue no.:         MDL-36600
CVE Identifier:    CVE-2012-6103

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36600


=======================================================================
MSA-13-0008: Information leak through Blog RSS

Description:       Blog posts that were hidden from guest users in the
                   Web interface were being included in the related RSS
                   feed.
Issue summary:     Guest users can access RSS feed for site level blogs
Severity/Risk:     Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by:       Charles Fulton
Issue no.:         MDL-36620
CVE Identifier:    CVE-2012-6104
Workaround:        Disable blogging

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36620


=======================================================================
MSA-13-0009: Information leak through Blog RSS

Description:       Blog posts were still accessible via the blog RSS
                   feed, even after blogging was disabled globally.
Issue summary:     Blog posts still available via RSS even after the
                   blogging is disabled
Severity/Risk:     Minor
Versions affected: 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by:       David Mudrak
Issue no.:         MDL-37467
CVE Identifier:    CVE-2012-6105

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37467


=======================================================================
MSA-13-0010: Failure to check capabilities in calendar

Description:       Students were able to delete course level calendar
                   subscriptions created by teachers.
Issue summary:     Student user able to Remove imported calendar from
                   Manage Subscriptions
Severity/Risk:     Minor
Versions affected: 2.4
Reported by:       David O'Brien
Issue no.:         MDL-37106
CVE Identifier:    CVE-2012-6106

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37106

Current thread:

Moodle security notifications public Michael de Raadt (Jan 20)
- <Possible follow-ups>
- Moodle security notifications public Michael de Raadt (Mar 24)