oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 25 Mar 2013 14:03:46 +0800
The following security notifications are now public. Thanks to OSS members for their cooperation.
======================================================================= MSA-13-0011: Calendar subscription capability issue Description: Users without appropriate capabilities were shown controls to update calendar subscriptions, even though the were not able to modify subscriptions. Issue summary: Student should not be able to see the subscription which they cant manage Severity/Risk: Minor Versions affected: 2.4 to 2.4.1 Versions fixed: 2.4.2 Reported by: Ankit Agarwal Issue no.: MDL-37338 CVE Identifier: CVE-2013-1829 Workaround: Avoid course and group calendar subscriptionsChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37338
======================================================================= MSA-13-0012: Information leak in course profiles Description: Course profiles were accessible without logging in as a real user Issue summary: Course profiles open to google even when forceloginforprofiles is enabled Severity/Risk: Minor Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: Helen Foster Issue no.: MDL-37481 CVE Identifier: CVE-2013-1830 Workaround: Leave autologinguests and opentogoogle settings disabled (default)Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37481
======================================================================= MSA-13-0013: Server information revealed through exception messages Description: Exception messages were revealing server file system information Issue summary: Server system path revealed through exception messages Severity/Risk: Minor Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: Mark Nielsen Issue no.: MDL-36901 CVE Identifier: CVE-2013-1831Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36901
======================================================================= MSA-13-0014: Password revealed in WebDav repository Description: The password for a WebDav repository was not hidden on the repository configuration form Issue summary: WebDav repository password field is plain text allowing admin to see password Severity/Risk: Minor Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: John Holmes Issue no.: MDL-37681 CVE Identifier: CVE-2013-1832 Workaround: Avoid WebDav repositories requiring personal passwordsChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37681
======================================================================= MSA-13-0015: Cross-site scripting issue in Filepicker Description: It was possible to upload files with filenames containing HTML and JavaScript Issue summary: Code injection (XSS) possible in File Picker Severity/Risk: Serious Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: Frédéric Massart Issue no.: MDL-37507 CVE Identifier: CVE-2013-1833 Workaround: Avoid the filesystem repository on Linux file systems and the Google Docs/Drive repositoryChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37507
======================================================================= MSA-13-0016: External Entity Injection through Zend library Description: Through the Zend library, clients of Moodle Web services were potentially able to reveal files on the server Issue summary: Zend XmlRpc: Local file disclosure via XXE injection Severity/Risk: Serious Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: Frédéric Massart Issue no.: MDL-34284 CVE Identifier: CVE-2012-3363 Workaround: Disable Web servicesChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
======================================================================= MSA-13-0017: Form manipulation issue in notes Description: By manipulating form elements it was possible to assign a note to a different user during editing Issue summary: Go to the edit notes form, change userid in the html with firebug => the targeted note user is changed Severity/Risk: Minor Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (1.9 onwards) Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: Jérôme Mouneyrac Issue no.: MDL-37411 CVE Identifier: CVE-2013-1834 Workaround: Disable notesChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411
======================================================================= MSA-13-0018: Personal information leak through repositories Description: Users able to use "login as" were able to see the personal repository content of the user they were impersonating Issue summary: Admin users logged in as another user have access to the content of their external repositories Severity/Risk: Serious Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: Andrew Nicols Issue no.: MDL-36426 CVE Identifier: CVE-2013-1835Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36426
======================================================================= MSA-13-0019: Unauthorised settings editing through WebDav repository Description: Any user able to view WebDav repositories was able to view, edit and delete site-wide WebDav repositories Issue summary: Site-wide WebDAV repository instances options are accessible Severity/Risk: Serious Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) Versions fixed: 2.4.2, 2.3.5, 2.2.8 Reported by: Frédéric Massart Issue no.: MDL-37852 CVE Identifier: CVE-2013-1836Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852
Current thread:
- Moodle security notifications public Michael de Raadt (Jan 20)
- <Possible follow-ups>
- Moodle security notifications public Michael de Raadt (Mar 24)