Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4FBC2B48.10806@moodle.com>
Date: Wed, 23 May 2012 08:11:52 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications have now been made public. Thanks 
to OSS members for their cooperation.

=======================================================================
MSA-12-0024: Hidden information access issue

Topic:             Data protection issue / Information disclosure by
                    "Settings" ->  "Users" ->  "Enrolled users"
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by:       Andreas Grupp
Issue no.:         MDL-31923
CVE Identifier:    CVE-2012-2353
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31923
Description:
Teachers without appropriate permissions were able see user access
information.

=======================================================================
MSA-12-0025: Personal communication access issue

Topic:             "Recent conversations" allows anyone to see anyone
                    else's messages
Severity/Risk:     Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by:       Juan Aburto
Issue no.:         MDL-31834
CVE Identifier:    CVE-2012-2354
Changes (master):  http://git.moodle.org/gw?p=moodle.git;a=commit;h=48e03792ca8faa2d781f9ef74606f3b3f0d3baec
Description:
By manipulating URL parameters, users were able to see others'
messages.

=======================================================================
MSA-12-0026: Quiz capability issue

Topic:             When you add a question to the quiz, it does not
                    check the question:use... capability.
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by:       Tim Hunt
Issue no.:         MDL-32240
CVE Identifier:    CVE-2012-2355
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32240
Description:
Capabilities were not being correctly checked when adding questions
to a quiz.

=======================================================================
MSA-12-0027: Question bank capability issues

Topic:             Various problems with permissions checks in the
                    question bank
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by:       Tim Hunt
Issue no.:         MDL-32239
CVE Identifier:    CVE-2012-2356
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32239
Description:
Capabilities were not being correctly checked when working in the
question bank. Question authorship was not being checked. Users were
shown UI elements when they did not have permission to use them.
User permissions were not correctly checked when saving a question.

=======================================================================
MSA-12-0028: Insecure authentication issue

Topic:             CAS Multi-Authentication Does Not Use HTTPS Login
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by:       Chris Follin
Workaround:        Avoid CAS authentication
Issue no.:         MDL-32492
CVE Identifier:    CVE-2012-2357
Changes (master):  http://git.moodle.org/gw?p=moodle.git;a=commit;h=895e76ea51c462c18ad66e0761ad76cd26a63ecf
Description:
A page in the CAS Authentication process was using an insecure HTTP
URL that, apart from being insecure, sent the user in circles.

=======================================================================
MSA-12-0029: Information editing access issue

Topic:             Students can edit database entries in read only mode
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by:       Amanda Doughty
Issue no.:         MDL-31811
CVE Identifier:    CVE-2012-2358
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31811
Description:
Students were able to edit pre-existing Database activity entries
after the activity had entered a read-only period.

=======================================================================
MSA-12-0030: Capability manipulation issue

Topic:             Non-editor teacher can exceed teacher permissions: example, backup:userinfo
Severity/Risk:     Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by:       Jozas Nhial
Issue no.:         MDL-32030
CVE Identifier:    CVE-2012-2359
Changes (master):  http://git.moodle.org/gw?p=moodle.git;a=commit;h=0f75e1e6272db0303abc8e27362e5c3a1344b82f
Description:
Non-editing teachers were able to redefine their capabilities to
achieve actions they would not normally be able to achieve.

=======================================================================
MSA-12-0031: Cross-site scripting vulnerability in Wiki

Topic:             Injection and XSS vulnerability in wiki through
                    insufficient validation
Severity/Risk:     Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+,
Reported by:       Sam Hemelryk
Issue no.:         MDL-32018
CVE Identifier:    CVE-2012-2360
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32018
Description:
It was possible to inject unfiltered HTML into a wiki page title.

=======================================================================
MSA-12-0032: Cross-site scripting vulnerability in Web services

Topic:             XSS in /admin/webservice/service.php
Severity/Risk:     Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by:       Dan Poltawski
Workaround:        Avoid Web services
Issue no.:         MDL-31694
CVE Identifier:    CVE-2012-2361
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31694
Description:
The name parameter, sent to the Web service script service.php, was
not being filtered correctly.

=======================================================================
MSA-12-0033: Cross-site scripting vulnerability in Blog

Topic:             XSS bug in blog/index.php in IE
Severity/Risk:     Serious
Versions affected: 1.9 to 1.9.17+
Reported by:       Simon Coggins
Issue no.:         MDL-31745
CVE Identifier:    CVE-2012-2362
Changes (1.9):     http://git.moodle.org/gw?p=moodle.git;a=commit;h=038131c8b5614f18c14d964dc53b6960ae6c30d8
Description:
Parameters sent to the Blog module were not sufficiently filtered.
This allowed the potential for cross-site scripting in IE

=======================================================================
MSA-12-0034: Potential SQL injection issue

Topic:             Stored SQL Injection in calendar
Severity/Risk:     Serious
Versions affected: 1.9 to 1.9.17+
Reported by:       Simon Coggins
Issue no.:         MDL-31746
CVE Identifier:    CVE-2012-2363
Changes (1.9):     http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_19_STABLE&st=commit&s=MDL-31746
Description:
It was possible to include unfiltered information when adding a
calendar event that was stored in the database.

=======================================================================
MSA-12-0035: Cross-site scripting vulnerability in "download all"

Topic:             Content-Type is TEXT/HTML for zip Download instead
                    of application/x-zip-compressed or forced download
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by:       Asaf Ohaion
Workaround:        Avoid "download all" feature in Assignment
Issue no.:         MDL-31558
CVE Identifier:    CVE-2012-2364
Changes (master):  http://git.moodle.org/gw?p=moodle.git;a=commit;h=ce4126c7a9e07dd0514f7ac297b5e60cad0b8d20
Description:
An incorrect mimetype was being reported for zipped assignment
submissions, causing some browsers to render the response. The fix
for this issue also prevents incorrect use of file sending functions
by third-party modules.

=======================================================================
MSA-12-0036: Cross-site scripting vulnerability in category identifier

Topic:             XSS in /cohort/edit.php (POST parameter: idnumber)
Severity/Risk:     Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by:       Dan Poltawski
Issue no.:         MDL-31691
CVE Identifier:    CVE-2012-2365
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31691
Description:
The idnumber field, an arbitrary unique identifier for a category,
was able to be entered without being filtered.

=======================================================================
MSA-12-0037: Write access issue in Database activity module

Topic:             It's possible for any user to overwrite site wide
                    database presets
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by:       Dan Poltawski
Issue no.:         MDL-31763
CVE Identifier:    CVE-2012-2366
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31763
Description:
Users were able to overwrite site-wide Database activity presets
created by other users.

=======================================================================
MSA-12-0038: Calendar event write permission issue

Topic:             Calendar New Entry still shows and works for roles
                    preventing calendar entry
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, 1.9 to
                    1.9.17+
Reported by:       Martin Huntley
Issue no.:         MDL-18335
CVE Identifier:    CVE-2012-2367
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-18335
Description:
Users without appropriate permissions were able to access the new
calendar entry page and create a calendar entry.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.