Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <50A99273.8080301@moodle.com>
Date: Mon, 19 Nov 2012 09:59:15 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications have now been made public. Thanks 
to OSS members for their cooperation.

=======================================================================
MSA-12-0057: Access issue through repository

Topic:             User B is able to see and use Dropbox of User A
                    within Dropbox Repository File Picker
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Alexander Bias
Issue no.:         MDL-29872, MDL-36366
CVE Identifier:    CVE-2012-5471
Workaround:        Turn off Dropbox repository
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872
Description:
Users who logged out of Dropbox through the Moodle repository were
disconnected in Moodle, but the user's access to Dropbox was still
allowed while their browser session continued.

=======================================================================
MSA-12-0058: Possible form data manipulation issue

Topic:             add setConstant() for hardfreeze element
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+
Reported by:       Rossiani Wijaya
Issue no.:         MDL-32785
CVE Identifier:    CVE-2012-5472
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785
Description:
Frozen form elements were open to manipulation when form data was
submitted.

=======================================================================
MSA-12-0059: Information leak in Database activity module

Topic:             Members of seperate groups can see Database activity
                    entries for other groups
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Richard Meyer
Issue no.:         MDL-34448
CVE Identifier:    CVE-2012-5473
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448
Description:
Within the Database activity module, when separate groups were used,
members of one group were able to see entries created by members of
another group by completing an advanced search.

=======================================================================
MSA-12-0060: Cross-site scripting vulnerability in YUI2

Topic:             yui2 swf vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
                    1.9 to 1.9.18+
Reported by:       Petr Škoda, Jenny Donnelly
Issue no.:         MDL-36346
CVE Identifier:    CVE-2012-5475
Workaround:        Delete YUI SWF files
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
A XSS vulnerability has been discovered in some YUI 2 .swf files from
versions 2.4.0 through 2.9.0. This defect allows JavaScript injection
exploits to be created against domains that host affected YUI .swf
files.

=======================================================================
MSA-12-0061: Remote code execution through Portfolio API

Topic:             Portfolio plugin: Local File Inclusion (LFI) and the
                    possibility of Remote Command Execution (RCE).
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Cristobal Leiva
Issue no.:         MDL-33791
CVE Identifier:    CVE-2012-5479
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
It was possible, when Moodle data is stored within the Web accessible
directory, to manipulate the Portfolio API callbacks to execute a file
uploaded by a user.

=======================================================================
MSA-12-0062: Information leak in Database activity module

Topic:             Any user (including a guest) can view entries in
                    database activity when more entries are required
                    before viewing other participants entries
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Tabitha Roder
Issue no.:         MDL-35558
CVE Identifier:    CVE-2012-5480
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558
Description:
The setting requiring that a number of entries be posted to a Database
activity before others' entries could be viewed could be circumvented
using an advanced search.

=======================================================================
MSA-12-0063: Information leak in Check Permissions page

Topic:             Check Permissions page displays entire user base
                    without moodle/role:manage capability
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+
Reported by:       Jody Steele
Issue no.:         MDL-35381
CVE Identifier:    CVE-2012-5481
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381
Description:
The Check Permissions page was allowing non-admin users to see the
capabilities of all users, not just users in a course/category.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.