[securityalerts] New Moodle releases 1.9.6 and 1.8.10: Security fixes

Mon Oct 26 08:30:52 MST 2009

Moodle announces more security issues.

By sending out this "advance security notice" of known exploits to
registered Moodle sites before the security fixes and "press release"
it's clear that Moodle does not fully appreciate the state of web
security today.   Literally thousands of web systems exploiters are
already targeting school based Moodle php/mysql sites!

A great many links to moodle hacking are available:
http://www.pakbugs.com/exploits/1667-moodle-1-6-9-1-7-7-1-8-9-1-9-5-file-disclosure-vulnerability.html

Note the verbiage below requesting that the "secret" continue to be
held by not forwarding this on?

We did some cracking of moodle during a HackFest also, 8 months ago,
where these and other holes were trivial to exploit.

---------- Forwarded message ----------
From: martin at moodle.com
Date: Mon, 26 Oct 2009 12:30:37 +0800
Subject: [securityalerts] New Moodle releases 1.9.6 and 1.8.10: Security fixes
To: securityalerts at lists.moodle.org

Hello Moodle Admins,

You are getting this email because you subscribed to the Moodle security alerts
list when you registered your Moodle site.   (Thanks for registering, by the
way!)

I'm writing to give you some advance notice of two minor new releases - Moodle
1.9.6 and Moodle 1.8.10 - which will be announced publically at the end of this
week.	Since there are some security fixes we recommend that you upgrade your
Moodle site as soon as you can to keep your sites safe.

The releases are available, as always, from our downloads page or any CVS
mirror.

    http://moodle.org/downloads

Here are the release notes:

   http://docs.moodle.org/en/Moodle_1.9.6_release_notes
   http://docs.moodle.org/en/Moodle_1.8.10_release_notes

Apart from a range of bug fixes and small improvements, six security
vulnerabilities (1 critical, 1 major and 4 minor) have been discovered and
fixed since Moodle 1.9.5. (Thanks as usual to the reporters and to Petr Skoda
for his tireless and excellent work defending all our Moodle sites).  There are
no reported exploits yet, and they do not affect all sites, but we still
recommend that you upgrade your sites to these latest versions as soon as
possible (or otherwise ensure that these issues are not active in your site).

Attached below is more information about the six security issues.

PLEASE DO NOT PUBLISH INFORMATION OF THESE ISSUES ON THE INTERNET YET!

Give your fellow Moodle admins some time to upgrade first. We'll publish full
details in the security news section on Friday October 30:
http://moodle.org/security

Also, please do not reply to me via email.  This mailing list goes out to
nearly 60,000 people - I usually get about 1000 direct replies which I can't
deal with :)

If you need help with upgrading or anything else please see
http://moodle.org/support or contact your web host.

Cheers and thank you for using Moodle! (We are still working hard on 2.0!)

Martin Dougiamas,
Moodle Founder and Lead Developer

=========================

MSA-09-0019: SQL injection in update_record

Topic: SQL injection in update_record
Severity: Critical
Versions affected: <1.9.6, <1.8.10, 1.7.x
Reported by: Georg-Christian Pranschke
Issue no.: MDL-20309
Solution: upgrade to latest weekly builds or 1.8.10 or 1.9.6
Workaround: none

Description: Georg-Christian Pranschke discovered a serious problem in the
update_record function. This problem may allow any registered user to exploit
several different scripts.

=========================

MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6

Topic: Customised PhpMyAdmin upgraded to 2.11.9.6
Severity: Major
Versions affected: all
Reported by: upstream - PMASA-2009-6; CVE-2009-3696 and CVE-2009-3697
Issue no.: MDL-20553
Solution: Install latest package from
http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs
Workaround: delete admin/mysql/*

See details at http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php

=========================

MSA-09-0016: Email not properly escaped on user edit page

Topic: Email not properly escaped on user edit page
Severity: Minor
Versions affected: <1.9.6
Reported by: Alan Trick
Issue no.: MDL-20295
Solution: upgrade to latest weekly build or 1.8.10 or 1.9.6
Workaround: disable email change confirmation (not recommended)

Description: Alan Trick discovered that the email change confirmation code does
not escape the email addresses properly. This problem is marked as minor
because the email address is validated and can not contain an arbitrary text.

=========================

MSA-09-0017: Upgrade code 1.9 does not escape tags properly

Topic: Upgrade to 1.9 from earlier versions does not escape tags properly
Severity: Minor
Versions affected: <1.9.6
Reported by: Matt Oquist
Issue no.: MDL-19709
Solution: do not use 1.9.0-1.9.5 when upgrading from any previous version

Description: The upgrade code does not properly escape tags properly when
upgrading from any version before 1.9.0.

=========================

MSA-09-0018: Incorrect escaping when updating first post in a single simple
discussion forum type

Topic: Incorrect escaping when updating first post in a single simple
discussion forum type
Severity: Minor
Versions affected: <1.9.6, <1.8.10
Reported by: Nicola Vitacolonna
Issue no.: MDL-20555
Solution: upgrade to latest weekly builds or 1.8.10 or 1.9.6
Workaround: none

Description: Nicola Vitacolonna discovered forum introduction is incorrectly
escaped when editing the first post of a single simple discussion forum. This
can potentially lead to SQL injection attacks by teachers. Students can not
exploit this problem.

=========================

MSA-09-0020: Teachers can view students' grades in all courses in the overview
report

Topic: Teachers can view students' grades in all courses in the overview report
Severity: Minor
Versions affected: <1.9.6
Reported by: Ratana Lim
Issue no.: MDL-20355
Solution: upgrade to latest weekly builds or 1.9.6
Workaround: remove the overview report link - see
http://docs.moodle.org/en/Simplifying_the_gradebook

Description: Teachers could view students' grades in all courses, including
courses for which they do not have teacher rights, in the overview report.

=========================

-- 
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
-------------- next part --------------
--
You are receiving this email because you registered a Moodle site with Moodle.org
and chose to be added to this low-volume list of security notifications and other 
important Moodle-related announcements for Moodle administrators.

To unsubscribe you can re-register your site (as above) and make sure you 
turn the email option OFF in the registration form.  You can also send 
a blank email to sympa at lists.moodle.org with "unsubscribe securityalerts" 
as the subject (from the email address that is subscribed).

See http://lists.moodle.org/info/securityalerts for more.