Operating System:

[WIN][UNIX/Linux]

Published:

03 December 2013

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ASB-2013.0133.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2013.0133.2
        A number of vulnerabilities have been identified in Moodle.
                              3 December 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Moodle
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Cross-site Scripting     -- Remote with User Interaction
                      Access Confidential Data -- Remote/Unauthenticated      
                      Unauthorised Access      -- Existing Account            
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-6780 CVE-2013-4525 CVE-2013-4524
                      CVE-2013-4523  
Member content until: Wednesday, January  1 2014

Revision History:     December 3 2013: Added reference to MSA-13-0036 (CVE-2013-4522)
                      December 2 2013: Initial Release

OVERVIEW

        A number of vulnerabilities have been identified in Moodle prior to
        2.6, 2.5.3, 2.4.7 and 2.3.10. [1, 2, 3, 4, 5]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        CVE-2013-4522: "Some files were being delivered with incorrect, headers
        meaning they could be cached downstream. Incorrect headers emitted for 
        secured resources." [1]
        
        CVE-2013-4523: "JavaScript in messages was being executed on some 
        pages. Cross Site Scripting in Messages." [2]
        
        CVE-2013-4524: "The file system repository was allowing access to files
        beyond the Moodle file area. File System repository gives read access 
        to the whole file system." [3]
        
        CVE-2013-4525: "JavaScript in question answers was being executed on 
        the Quiz Results page. XSS on view quiz results page." [4]
        
        CVE-2013-6780: "Flash files distributed with the YUI library may have 
        allowed for cross-site scripting attacks. This is additional to 
        MSA-13-0025. YUI2 security vulnerability." [5]


MITIGATION

        The vendor has stated that these issues have been corrected in versions
        2.6, 2.5.3, 2.4.7 and 2.3.10. [1, 2, 3, 4, 5]


REFERENCES

        [1] MSA-13-0036: Incorrect headers sent for secured resources
            https://moodle.org/mod/forum/discuss.php?d=244479

        [2] MSA-13-0037: Cross site scripting in Messages
            https://moodle.org/mod/forum/discuss.php?d=244480

        [3] MSA-13-0038: Access to server files through repository
            https://moodle.org/mod/forum/discuss.php?d=244481

        [4] MSA-13-0039: Cross site scripting in Quiz
            https://moodle.org/mod/forum/discuss.php?d=244482

        [5] MSA-13-0040: Cross site scripting vulnerability in YUI library
            https://moodle.org/mod/forum/discuss.php?d=244483

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUp05/BLndAQH1ShLAQLAjw/+PgquImr6jL90EN1wgymmTQZHlHdQSOz4
hZ2I4LfOt17dX5nlNjM9fk6m59T0Kq5f35z9ADpPMdS203cYn0C9zEWr3W1VzdUj
t/3a7/EeMc1cjmm12DfuZlYWrEtbghMCipfynVEUfRwj11izdr3ZfjDZ3kxqOIL8
eTzeQlOuJCjsfQt4ZK7MZvfbW1QBme4YZWSk1AGUuVn2t4aakfoUlbC4+VRuBJy8
jAzOxqibMVQleRcUV1iTv1v+az4T2Wtms18ECeacHSmEU101fUn4tnEyIbLYXKCH
W0s8C8cXY4wTxs/1MSi5rhRgs44/2iXCaOXT5VtyxPQyU8G/aaGhIFruynWoIEFY
dTR1RxGxzLhVlXqIQRP5yif5lZDROJKJFdOvMa/FJCwXI/ff4w80dGfK/H6HKotk
o56Ae4aczQ/aOmooUWIe31R6C3xWzaus/MIdapIylNGRNEn15DmAXZYi9joOXFVc
8tsmYxTZ7XuJkkieWpKphDxaFs6CGiOxgKYusxB2vMY2H+lKE8eJS7Pj/o6TI9ej
qkpkDfJP3jif9FqjsdSa0VKy0FXZjM1OVMyleJdvas8kXm4zSGiTAY/5BJNGMyWI
Qy9W1A66SXhWDkIqwjHg4iiGuPATJx48WlQdXc3JH9VA0mWZParNgJzlT4ZlUHxL
pokG8agny4k=
=KP/O
-----END PGP SIGNATURE-----