Operating System:

[WIN][UNIX/Linux]

Published:

20 September 2012

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ASB-2012.0131 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0131
        A number of vulnerabilities have been identified in Moodle
                             20 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Moodle
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Access Confidential Data -- Existing Account
                      Unauthorised Access      -- Existing Account
                      Reduced Security         -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-4408 CVE-2012-4407 CVE-2012-4403
                      CVE-2012-4402 CVE-2012-4401 CVE-2012-4400
Member content until: Saturday, October 20 2012

OVERVIEW

        A number of vulnerabilities have been identified in Moodle prior to
        version 2.3.2.


IMPACT

        The vendor has provided the following details regarding these
        vulnerabilities:
        
        CVE-2012-4400: "It was possible for a user to manipulate script 
        parameters to upload a file larger than set limits." [1]
        
        CVE-2012-4401: "Users with course editing capabilities, but without 
        permission to show/hide topics and set the current topic were able to 
        complete these actions under certain conditions." [2]
        
        CVE-2012-4402: "Users with permission to access multiple services were 
        able to use a token from one service to access another." [3]
        
        CVE-2012-4403: "The drag-and-drop script was responding to bad requests 
        with information that included the full path to scripts on the 
        server." [4]
        
        CVE-2012-4407: "Files embedded as part of a blog were being delivered 
        without checking the publication state properly." [5]
        
        CVE-2012-4408: "The course reset link was protected by a correct 
        permission but the reset page itself was being checked for a different 
        permission." [6]


MITIGATION

        The vendor has stated that these issues have been corrected in version
        2.3.2 of Moodle. [7]


REFERENCES

        [1] MSA-12-0051: File upload size constraint issue
            http://moodle.org/mod/forum/discuss.php?d=211555

        [2] MSA-12-0052: Course topics permission issue
            http://moodle.org/mod/forum/discuss.php?d=211556

        [3] MSA-12-0055: Web service access token issue
            http://moodle.org/mod/forum/discuss.php?d=211559

        [4] MSA-12-0056: Information leak in drag-and-drop
            http://moodle.org/mod/forum/discuss.php?d=211560

        [5] MSA-12-0053: Blog file access issue
            http://moodle.org/mod/forum/discuss.php?d=211557

        [6] MSA-12-0054: Course reset permission issue
            http://moodle.org/mod/forum/discuss.php?d=211558

        [7] Moodle 2.3.2 release notes
            http://docs.moodle.org/dev/Moodle_2.3.2_release_notes

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUFq6t+4yVqjM2NGpAQJPnhAAiQmsoQSbgO6XEgJeynoo10JrkXChWvkU
x9ptRoLwP+kPfpd+/XcaB606+IyB8l2nds4WEPw8lX8a7dCrzuFYDhwpjFAL39r9
5lLwa6byOqWJar14N32dtzQ2Ozzgzg4yfFCV/BIDgCw+D38kCUCGY2nXBcgkENud
fKmP5UHoNmGKipk9Z+8kWNpT1HoV8N26zY8UZO9+Ib36p3pjsrNtSMJPj9RgXmJo
NBuibeUgxP1DcDMh5bAjnAXivQb/OYD9NQjVLVCdsLlMPZxX+lUGmkNGPQiucWjl
4BpZj7AAgC8ZrRORQFdV4NxCiEOEwguotEV5ShVkjp6loGoCVI5lDpT6Kio6+KXS
28hhHSA36uTlgRevQ6lYQ9o9WujK/N6w/aXbCCNxLTYFtBpbvCaRLSS7+my6q3pq
O/M5qVjVPxXh/Vwowk4ZkJ2GlicRLt73k845I3wk/w/5EdSl/aFHmCiMZvSs60OH
QEfSRsp+84mrCYRQRoiXIQl20I8RQTfGl8Fq94Gy24DPYWKiPGV6v+q6XtITN7F8
kJd220MJDJ7cg78nXK+5lioLKrmSwlXZrwdeTEGqaF/edhtWitckD9/AhxCEqstC
JFS/Db+v8QPlJ+Tnii3oJvjHDLFazerV4OtWZQQw904ecrbOqa2w5TI39DUCRNEx
rIlK9IbBwR8=
=r6Dg
-----END PGP SIGNATURE-----