Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <514FE8C2.2010400@moodle.com>
Date: Mon, 25 Mar 2013 14:03:46 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications are now public. Thanks to OSS 
members for their cooperation.

=======================================================================
MSA-13-0011: Calendar subscription capability issue

Description:       Users without appropriate capabilities were shown
                    controls to update calendar subscriptions, even
                    though the were not able to modify subscriptions.
Issue summary:     Student should not be able to see the subscription
                    which they cant manage
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1
Versions fixed:    2.4.2
Reported by:       Ankit Agarwal
Issue no.:         MDL-37338
CVE Identifier:    CVE-2013-1829
Workaround:        Avoid course and group calendar subscriptions
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37338

=======================================================================
MSA-13-0012: Information leak in course profiles

Description:       Course profiles were accessible without logging in
                    as a real user
Issue summary:     Course profiles open to google even when
                    forceloginforprofiles is enabled
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Helen Foster
Issue no.:         MDL-37481
CVE Identifier:    CVE-2013-1830
Workaround:        Leave autologinguests and opentogoogle settings
                    disabled (default)
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37481

=======================================================================
MSA-13-0013: Server information revealed through exception messages

Description:       Exception messages were revealing server file
                    system information
Issue summary:     Server system path revealed through exception
                    messages
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Mark Nielsen
Issue no.:         MDL-36901
CVE Identifier:    CVE-2013-1831
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36901

=======================================================================
MSA-13-0014: Password revealed in WebDav repository

Description:       The password for a WebDav repository was not hidden
                    on the repository configuration form
Issue summary:     WebDav repository password field is plain text
                    allowing admin to see password
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       John Holmes
Issue no.:         MDL-37681
CVE Identifier:    CVE-2013-1832
Workaround:        Avoid WebDav repositories requiring personal
                    passwords
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37681

=======================================================================
MSA-13-0015: Cross-site scripting issue in Filepicker

Description:       It was possible to upload files with filenames
                    containing HTML and JavaScript
Issue summary:     Code injection (XSS) possible in File Picker
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Frédéric Massart
Issue no.:         MDL-37507
CVE Identifier:    CVE-2013-1833
Workaround:        Avoid the filesystem repository on Linux file
                    systems and the Google Docs/Drive repository
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37507

=======================================================================
MSA-13-0016: External Entity Injection through Zend library

Description:       Through the Zend library, clients of Moodle Web
                    services were potentially able to reveal files
                    on the server
Issue summary:     Zend XmlRpc: Local file disclosure via XXE injection
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Frédéric Massart
Issue no.:         MDL-34284
CVE Identifier:    CVE-2012-3363
Workaround:        Disable Web services
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284

=======================================================================
MSA-13-0017: Form manipulation issue in notes

Description:       By manipulating form elements it was possible to
                    assign a note to a different user during editing
Issue summary:     Go to the edit notes form, change userid in the html
                    with firebug => the targeted note user is changed
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (1.9 onwards)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Jérôme Mouneyrac
Issue no.:         MDL-37411
CVE Identifier:    CVE-2013-1834
Workaround:        Disable notes
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411

=======================================================================
MSA-13-0018: Personal information leak through repositories

Description:       Users able to use "login as" were able to see the
                    personal repository content of the user they were
                    impersonating
Issue summary:     Admin users logged in as another user have access to
                    the content of their external repositories
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Andrew Nicols
Issue no.:         MDL-36426
CVE Identifier:    CVE-2013-1835
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36426

=======================================================================
MSA-13-0019: Unauthorised settings editing through WebDav repository

Description:       Any user able to view WebDav repositories was able
                    to view, edit and delete site-wide WebDav
                    repositories
Issue summary:     Site-wide WebDAV repository instances options are
                    accessible
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7,
                    earlier unsupported versions (2.x only)
Versions fixed:    2.4.2, 2.3.5, 2.2.8
Reported by:       Frédéric Massart
Issue no.:         MDL-37852
CVE Identifier:    CVE-2013-1836
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.