Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 8 Jul 2008 23:52:21 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: moodle xss in < 1.8.5

Hi Steven,
* Steven M. Christey <coley@...us.mitre.org> [2008-07-08 19:54]:
> On Tue, 8 Jul 2008, Hanno [utf-8] Böck wrote:
> 
> > Am Sonntag 06 Juli 2008 schrieb Nico Golde:
> > > Hi Hanno,
> > >
> > > * Hanno Böck <hanno@...eck.de> [2008-07-06 19:04]:
> > > > http://docs.moodle.org/en/Release_Notes#Moodle_1.8.5
> > > >     *  KSES related XSS security vulnerability fixed
> > >
> > > This should be CVE-2008-1502:
> 
> This looks like a shared codebase relationship, which would usually
> involve the same CVE.
> 
> If the issue is really in KSES, then CVE-2008-1502 would need to be
> updated to reflect that it affects KSES as used in egroupWare, Moodle, and
> others.
> 
> Can anyone clarify?

http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.2.2&r2=1.3.2.3
http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.581.4.10&r2=1.581.4.11

Did you get the vulnerability notes by the initial bug 
reporter that I forwarded to you + vendor-sec?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux