![]() |
|
Message-ID: <CAG_z0FR8DsngjL_jZuy6wgGqU1JLhOQC9-UWfjHt01qGZCFO+Q@mail.gmail.com> Date: Mon, 17 Nov 2014 15:13:22 +0800 From: Marina Glancy <marina@...dle.com> To: oss-security@...ts.openwall.com Subject: Moodle security issues are now public The following security notifications have now been made public. Thanks to OSS members for their cooperation. Sincerely, Marina Glancy Development Process Manager Moodle HQ ============================================================================== MSA-14-0035: Headers not added to some AJAX scripts Description: Without forcing encoding, it was possible that UTF7 characters could be used to force cross-site scripts to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages). Issue summary: Some ajax scripts and hand crafted pages do not send proper encoding header Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Petr Skoda Issue no.: MDL-47966 CVE identifier: - Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966 ============================================================================== MSA-14-0036: XSS in mapcourse script in Feedback module Description: Last search string in Feedback module was not escaped in the search input field. Issue summary: XSS through $searchcourse in mod/feedback/mapcourse.php Severity/Risk: Serious Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Petr Skoda Issue no.: MDL-47865 Workaround: Disable feedback module or remove mod/feedback:mapcourse capability from users CVE identifier: CVE-2014-7830 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865 ============================================================================== MSA-14-0037: Weak temporary password generation Description: The word list for temporary password generation was short meaning the pool of possible passwords was not big enough. Issue summary: generate_password() is insecure and in use Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Aaron Barnes Issue no.: MDL-47050 Workaround: Enable password policy CVE identifier: CVE-2014-7845 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050 ============================================================================== MSA-14-0038: Hidden grade information exposed by web services Description: User without capability to view hidden grades could retrieve grades using web services. Issue summary: get_grades webservice exposes hidden grades to students Severity/Risk: Serious Versions affected: 2.7 and 2.7.2 Versions fixed: 2.8, 2.7.3 Reported by: Damyon Wiese Issue no.: MDL-47766 Workaround: Do not enable core_grades_get_grades in web services CVE identifier: CVE-2014-7831 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766 ============================================================================== MSA-14-0039: Insufficient access check in LTI module Description: Capability checks in the LTI module only checked access to the course and not to the activity. Issue summary: mod/lti/launch.php lacks access control Severity/Risk: Serious Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Petr Skoda Issue no.: MDL-47921 CVE identifier: CVE-2014-7832 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921 ============================================================================== MSA-14-0040: Information leak in Database activity module Description: Group-level entries in Database activity module became visible to users in other groups after being edited by a teacher. Issue summary: Group ID of Database record overwritten by 0 Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Pamela Verret Issue no.: MDL-47697 CVE identifier: CVE-2014-7833 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697 ============================================================================== MSA-14-0041: Lack of capability check in tags list access Description: Unprivileged users could access the list of available tags in the system. Issue summary: Tag autocomplete AJAX page lacks capability check Severity/Risk: Serious Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Frédéric Massart Issue no.: MDL-47965 CVE identifier: CVE-2014-7846 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965 ============================================================================== MSA-14-0042: Lack of access check in IP lookup functionality Description: The script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties. Issue summary: iplookup is available to unauthenticated guests Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Dan Poltawski Issue no.: MDL-47321 CVE identifier: CVE-2014-7847 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321 ============================================================================== MSA-14-0043: Lack of group check in web service for Forum Description: When using the web service function for Forum discussions, group permissions were not checked. Issue summary: forum_get_discussions web service misses group permissions check Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5 Versions fixed: 2.8, 2.7.3 and 2.6.6 Reported by: Petr Skoda Issue no.: MDL-45303 Workaround: Do not enable web service function mod_forum_get_discussions CVE identifier: CVE-2014-7834 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303 ============================================================================== MSA-14-0044: Hardware path disclosed in the error message Description: By directly accessing an internal file, an unauthenticated user can be shown an error message containing the file system path of the Moodle install. Issue summary: PHPunit: lib/phpunit/bootstrap.php leaks system info Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5 Versions fixed: 2.8, 2.7.3 and 2.6.6 Reported by: Sam Marshall Issue no.: MDL-47287 Workaround: Prevent web access to this file in web server directives CVE identifier: CVE-2014-7848 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287 ============================================================================== MSA-14-0045: XSS file upload possible through web service Description: If web service with file upload function was available, user could upload XSS file to his profile picture area. Issue summary: XSS through WS user file upload Severity/Risk: Serious Versions affected: 2.7 to 2.7.2 and 2.6 to 2.6.5 Versions fixed: 2.8, 2.7.3 and 2.6.6 Reported by: Petr Skoda Issue no.: MDL-47868 Workaround: Do not enable "Can upload files" in web services especially to untrusted users CVE identifier: CVE-2014-7835 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868 ============================================================================== MSA-14-0046: CSRF in LTI module Description: Two files in the LTI module lacked a session key check potentially allowing cross-site request forgery. Issue summary: CSRF in mod/lti/request_tool.php and mod/lti/instructor_edit_tool_type.php Severity/Risk: Serious Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Petr Skoda Issue no.: MDL-47924 CVE identifier: CVE-2014-7836 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924 ============================================================================== MSA-14-0047: Possible data loss in Wiki activity Description: By tweaking URLs, users who were able to delete pages in at least one Wiki activity in the course were able to delete pages in other Wiki pages in the same course. Issue summary: unvalidated parameters in mod/wiki/admin.php Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Petr Skoda Issue no.: MDL-47949 CVE identifier: CVE-2014-7837 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47949 ============================================================================== MSA-14-0048: CSRF in forum tracking toggle Description: Set tracking script in the Forum module lacked a session key check potentially allowing cross-site request forgery. Issue summary: CSRF in mod/forum/settracking.php Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Petr Skoda Issue no.: MDL-48019 CVE identifier: CVE-2014-7838 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48019 ============================================================================== MSA-14-0049: Possible to print arbitrary message to user by modifying URL Description: Session key check was missing on return page in module LTI allowing attacker to include arbitrary message in URL query string Issue summary: mod/lti/return.php allows attacker to print arbitrary message Severity/Risk: Minor Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9 Reported by: Petr Skoda Issue no.: MDL-47927 CVE identifier: - Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927 ==============================================================================
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.