Fwd: [securityalerts] URGENT: Moodle 2.2.3, Moodle 2.1.6, 2.0.9 and Moodle 1.9.18 are now available
Lisa Kachold
lisakachold at obnosis.com
Mon May 14 08:28:44 MST 2012
Update or risk your students editing your database.
---------- Forwarded message ----------
From: <michaeld at moodle.com>
Date: Sun, May 13, 2012 at 10:50 PM
Subject: [securityalerts] URGENT: Moodle 2.2.3, Moodle 2.1.6, 2.0.9 and
Moodle 1.9.18 are now available
To: securityalerts at lists.moodle.org
Hello registered Moodle Admins!
(This email is going out to over 82,000 registered Moodle admins. You
are receiving this email because you asked for Moodle security news
when you registered a Moodle site. If you don't want these emails
then see the very end of this email for info about unsubscribing.
Replies to this email will not be read.)
I'm writing today to let you know that Moodle 2.2.3, 2.1.6, 2.0.9 and
1.9.18 are available via the usual download channels
(http://download.moodle.org, CVS or Git).
Note that Moodle 2.0.9 and 1.9.18 are no longer fully supported.
They are supported for security fixes only.
The full release notes are here:
* http://docs.moodle.org/dev/Moodle_2.2.3_release_notes
* http://docs.moodle.org/dev/Moodle_2.1.6_release_notes
* http://docs.moodle.org/dev/Moodle_2.0.9_release_notes
* http://docs.moodle.org/dev/Moodle_1.9.18_release_notes
SECURITY ISSUES
As well as a long list of bug fixes, performance improvements and
polishing, there are 15 security issues you should be aware of.
Details of these security issues are listed below.
As a registered Moodle admin we are giving you advance notice of these
issues so you have some time to fix them before we publish them more
widely on http://moodle.org/security and publicise them in one week.
To avoid leaving your site vulnerable we highly recommend you upgrade
your sites to the latest Moodle version as soon as you can.
If you cannot upgrade then please check the following list carefully
and patch your own system or switch off those features.
Thanks, as always, to EVERYONE involved in reporting and fixing security
issues for all their hard work. It really is a team effort and one
with more and more people involved all the time.
Thanks for using Moodle!
Michael de Raadt
Development Manager, Moodle HQ
=======================================================================
MSA-12-0024: Hidden information access issue
Topic: Data protection issue / Information disclosure by
"Settings" -> "Users" -> "Enrolled users"
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by: Andreas Grupp
Issue no.: MDL-31923
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31923
Description:
Teachers without appropriate permissions were able see user access
information.
=======================================================================
MSA-12-0025: Personal communication access issue
Topic: "Recent conversations" allows anyone to see anyone
else's messages
Severity/Risk: Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by: Juan Aburto
Issue no.: MDL-31834
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=48e03792ca8faa2d781f9ef74606f3b3f0d3baec
Description:
By manipulating URL parameters, users were able to see others'
messages.
=======================================================================
MSA-12-0026: Quiz capability issue
Topic: When you add a question to the quiz, it does not
check the question:use... capability.
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by: Tim Hunt
Issue no.: MDL-32240
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32240
Description:
Capabilities were not being correctly checked when adding questions
to a quiz.
=======================================================================
MSA-12-0027: Question bank capability issues
Topic: Various problems with permissions checks in the
question bank
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by: Tim Hunt
Issue no.: MDL-32239
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32239
Description:
Capabilities were not being correctly checked when working in the
question bank. Question authorship was not being checked. Users were
shown UI elements when they did not have permission to use them.
User permissions were not correctly checked when saving a question.
=======================================================================
MSA-12-0028: Insecure authentication issue
Topic: CAS Multi-Authentication Does Not Use HTTPS Login
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by: Chris Follin
Workaround: Avoid CAS authentication
Issue no.: MDL-32492
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=895e76ea51c462c18ad66e0761ad76cd26a63ecf
Description:
A page in the CAS Authentication process was using an insecure HTTP
URL that, apart from being insecure, sent the user in circles.
=======================================================================
MSA-12-0029: Information editing access issue
Topic: Students can edit database entries in read only mode
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by: Amanda Doughty
Issue no.: MDL-31811
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31811
Description:
Students were able to edit pre-existing Database activity entries
after the activity had entered a read-only period.
=======================================================================
MSA-12-0030: Capability manipulation issue
Topic: Non-editor teacher can exceed teacher permissions:
example,
backup:userinfo
Severity/Risk: Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by: Jozas Nhial
Issue no.: MDL-32030
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=0f75e1e6272db0303abc8e27362e5c3a1344b82f
Description:
Non-editing teachers were able to redefine their capabilities to
achieve actions they would not normally be able to achieve.
=======================================================================
MSA-12-0031: Cross-site scripting vulnerability in Wiki
Topic: Injection and XSS vulnerability in wiki through
insufficient validation
Severity/Risk: Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+,
Reported by: Sam Hemelryk
Issue no.: MDL-32018
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32018
Description:
It was possible to inject unfiltered HTML into a wiki page title.
=======================================================================
MSA-12-0032: Cross-site scripting vulnerability in Web services
Topic: XSS in /admin/webservice/service.php
Severity/Risk: Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by: Dan Poltawski
Workaround: Avoid Web services
Issue no.: MDL-31694
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31694
Description:
The name parameter, sent to the Web service script service.php, was
not being filtered correctly.
=======================================================================
MSA-12-0033: Cross-site scripting vulnerability in Blog
Topic: XSS bug in blog/index.php in IE
Severity/Risk: Serious
Versions affected: 1.9 to 1.9.17+
Reported by: Simon Coggins
Issue no.: MDL-31745
Changes (1.9):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=038131c8b5614f18c14d964dc53b6960ae6c30d8
Description:
Parameters sent to the Blog module were not sufficiently filtered.
This allowed the potential for cross-site scripting in IE
=======================================================================
MSA-12-0034: Potential SQL injection issue
Topic: Stored SQL Injection in calendar
Severity/Risk: Serious
Versions affected: 1.9 to 1.9.17+
Reported by: Simon Coggins
Issue no.: MDL-31746
Changes (1.9):
http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_19_STABLE&st=commit&s=MDL-31746
Description:
It was possible to include unfiltered information when adding a
calendar event that was stored in the database.
=======================================================================
MSA-12-0035: Cross-site scripting vulnerability in "download all"
Topic: Content-Type is TEXT/HTML for zip Download instead
of application/x-zip-compressed or forced download
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by: Asaf Ohaion
Workaround: Avoid "download all" feature in Assignment
Issue no.: MDL-31558
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=ce4126c7a9e07dd0514f7ac297b5e60cad0b8d20
Description:
An incorrect mimetype was being reported for zipped assignment
submissions, causing some browsers to render the response. The fix
for this issue also prevents incorrect use of file sending functions
by third-party modules.
=======================================================================
MSA-12-0036: Cross-site scripting vulnerability in category identifier
Topic: XSS in /cohort/edit.php (POST parameter: idnumber)
Severity/Risk: Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by: Dan Poltawski
Issue no.: MDL-31691
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31691
Description:
The idnumber field, an arbitrary unique identifier for a category,
was able to be entered without being filtered.
=======================================================================
MSA-12-0037: Write access issue in Database activity module
Topic: It's possible for any user to overwrite site wide
database presets
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+
Reported by: Dan Poltawski
Issue no.: MDL-31763
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31763
Description:
Users were able to overwrite site-wide Database activity presets
created by other users.
=======================================================================
MSA-12-0038: Calendar event write permission issue
Topic: Calendar New Entry still shows and works for roles
preventing calendar entry
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, 1.9 to
1.9.17+
Reported by: Martin Huntley
Issue no.: MDL-18335
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-18335
Description:
Users without appropriate permissions were able to access the new
calendar entry page and create a calendar entry.
--
You are receiving this email because you registered a Moodle site with
Moodle.org
and chose to be added to this low-volume list of security notifications and
other
important Moodle-related announcements for Moodle administrators.
To unsubscribe you can re-register your site (as above) and make sure you
turn the email option OFF in the registration form. You can also send
a blank email to sympa at lists.moodle.org with "unsubscribe securityalerts"
as the subject (from the email address that is subscribed).
See http://lists.moodle.org/info/securityalerts for more.
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120514/69833dc9/attachment.html>
More information about the PLUG-discuss
mailing list