Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0131 A number of vulnerabilities have been identified in Moodle 20 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-4408 CVE-2012-4407 CVE-2012-4403 CVE-2012-4402 CVE-2012-4401 CVE-2012-4400 Member content until: Saturday, October 20 2012 OVERVIEW A number of vulnerabilities have been identified in Moodle prior to version 2.3.2. IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-2012-4400: "It was possible for a user to manipulate script parameters to upload a file larger than set limits." [1] CVE-2012-4401: "Users with course editing capabilities, but without permission to show/hide topics and set the current topic were able to complete these actions under certain conditions." [2] CVE-2012-4402: "Users with permission to access multiple services were able to use a token from one service to access another." [3] CVE-2012-4403: "The drag-and-drop script was responding to bad requests with information that included the full path to scripts on the server." [4] CVE-2012-4407: "Files embedded as part of a blog were being delivered without checking the publication state properly." [5] CVE-2012-4408: "The course reset link was protected by a correct permission but the reset page itself was being checked for a different permission." [6] MITIGATION The vendor has stated that these issues have been corrected in version 2.3.2 of Moodle. [7] REFERENCES [1] MSA-12-0051: File upload size constraint issue http://moodle.org/mod/forum/discuss.php?d=211555 [2] MSA-12-0052: Course topics permission issue http://moodle.org/mod/forum/discuss.php?d=211556 [3] MSA-12-0055: Web service access token issue http://moodle.org/mod/forum/discuss.php?d=211559 [4] MSA-12-0056: Information leak in drag-and-drop http://moodle.org/mod/forum/discuss.php?d=211560 [5] MSA-12-0053: Blog file access issue http://moodle.org/mod/forum/discuss.php?d=211557 [6] MSA-12-0054: Course reset permission issue http://moodle.org/mod/forum/discuss.php?d=211558 [7] Moodle 2.3.2 release notes http://docs.moodle.org/dev/Moodle_2.3.2_release_notes AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUFq6t+4yVqjM2NGpAQJPnhAAiQmsoQSbgO6XEgJeynoo10JrkXChWvkU x9ptRoLwP+kPfpd+/XcaB606+IyB8l2nds4WEPw8lX8a7dCrzuFYDhwpjFAL39r9 5lLwa6byOqWJar14N32dtzQ2Ozzgzg4yfFCV/BIDgCw+D38kCUCGY2nXBcgkENud fKmP5UHoNmGKipk9Z+8kWNpT1HoV8N26zY8UZO9+Ib36p3pjsrNtSMJPj9RgXmJo NBuibeUgxP1DcDMh5bAjnAXivQb/OYD9NQjVLVCdsLlMPZxX+lUGmkNGPQiucWjl 4BpZj7AAgC8ZrRORQFdV4NxCiEOEwguotEV5ShVkjp6loGoCVI5lDpT6Kio6+KXS 28hhHSA36uTlgRevQ6lYQ9o9WujK/N6w/aXbCCNxLTYFtBpbvCaRLSS7+my6q3pq O/M5qVjVPxXh/Vwowk4ZkJ2GlicRLt73k845I3wk/w/5EdSl/aFHmCiMZvSs60OH QEfSRsp+84mrCYRQRoiXIQl20I8RQTfGl8Fq94Gy24DPYWKiPGV6v+q6XtITN7F8 kJd220MJDJ7cg78nXK+5lioLKrmSwlXZrwdeTEGqaF/edhtWitckD9/AhxCEqstC JFS/Db+v8QPlJ+Tnii3oJvjHDLFazerV4OtWZQQw904ecrbOqa2w5TI39DUCRNEx rIlK9IbBwR8= =r6Dg -----END PGP SIGNATURE-----