Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0133.2 A number of vulnerabilities have been identified in Moodle. 3 December 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-6780 CVE-2013-4525 CVE-2013-4524 CVE-2013-4523 Member content until: Wednesday, January 1 2014 Revision History: December 3 2013: Added reference to MSA-13-0036 (CVE-2013-4522) December 2 2013: Initial Release OVERVIEW A number of vulnerabilities have been identified in Moodle prior to 2.6, 2.5.3, 2.4.7 and 2.3.10. [1, 2, 3, 4, 5] IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-2013-4522: "Some files were being delivered with incorrect, headers meaning they could be cached downstream. Incorrect headers emitted for secured resources." [1] CVE-2013-4523: "JavaScript in messages was being executed on some pages. Cross Site Scripting in Messages." [2] CVE-2013-4524: "The file system repository was allowing access to files beyond the Moodle file area. File System repository gives read access to the whole file system." [3] CVE-2013-4525: "JavaScript in question answers was being executed on the Quiz Results page. XSS on view quiz results page." [4] CVE-2013-6780: "Flash files distributed with the YUI library may have allowed for cross-site scripting attacks. This is additional to MSA-13-0025. YUI2 security vulnerability." [5] MITIGATION The vendor has stated that these issues have been corrected in versions 2.6, 2.5.3, 2.4.7 and 2.3.10. [1, 2, 3, 4, 5] REFERENCES [1] MSA-13-0036: Incorrect headers sent for secured resources https://moodle.org/mod/forum/discuss.php?d=244479 [2] MSA-13-0037: Cross site scripting in Messages https://moodle.org/mod/forum/discuss.php?d=244480 [3] MSA-13-0038: Access to server files through repository https://moodle.org/mod/forum/discuss.php?d=244481 [4] MSA-13-0039: Cross site scripting in Quiz https://moodle.org/mod/forum/discuss.php?d=244482 [5] MSA-13-0040: Cross site scripting vulnerability in YUI library https://moodle.org/mod/forum/discuss.php?d=244483 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUp05/BLndAQH1ShLAQLAjw/+PgquImr6jL90EN1wgymmTQZHlHdQSOz4 hZ2I4LfOt17dX5nlNjM9fk6m59T0Kq5f35z9ADpPMdS203cYn0C9zEWr3W1VzdUj t/3a7/EeMc1cjmm12DfuZlYWrEtbghMCipfynVEUfRwj11izdr3ZfjDZ3kxqOIL8 eTzeQlOuJCjsfQt4ZK7MZvfbW1QBme4YZWSk1AGUuVn2t4aakfoUlbC4+VRuBJy8 jAzOxqibMVQleRcUV1iTv1v+az4T2Wtms18ECeacHSmEU101fUn4tnEyIbLYXKCH W0s8C8cXY4wTxs/1MSi5rhRgs44/2iXCaOXT5VtyxPQyU8G/aaGhIFruynWoIEFY dTR1RxGxzLhVlXqIQRP5yif5lZDROJKJFdOvMa/FJCwXI/ff4w80dGfK/H6HKotk o56Ae4aczQ/aOmooUWIe31R6C3xWzaus/MIdapIylNGRNEn15DmAXZYi9joOXFVc 8tsmYxTZ7XuJkkieWpKphDxaFs6CGiOxgKYusxB2vMY2H+lKE8eJS7Pj/o6TI9ej qkpkDfJP3jif9FqjsdSa0VKy0FXZjM1OVMyleJdvas8kXm4zSGiTAY/5BJNGMyWI Qy9W1A66SXhWDkIqwjHg4iiGuPATJx48WlQdXc3JH9VA0mWZParNgJzlT4ZlUHxL pokG8agny4k= =KP/O -----END PGP SIGNATURE-----