-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0034
          Multiple vulnerabilities have been identified in Mooble
                 prior to versions 2.6.2, 2.5.5 and 2.4.9.
                               21 March 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Moodle
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Modify Permissions             -- Existing Account            
                      Cross-site Request Forgery     -- Remote with User Interaction
                      Cross-site Scripting           -- Remote with User Interaction
                      Provide Misleading Information -- Existing Account            
                      Access Confidential Data       -- Existing Account            
                      Unauthorised Access            -- Existing Account            
                      Reduced Security               -- Unknown/Unspecified         
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-0129 CVE-2014-0127 CVE-2014-0126
                      CVE-2014-0125 CVE-2014-0124 CVE-2014-0123
                      CVE-2014-0122  
Member content until: Sunday, April 20 2014

OVERVIEW

        A number of vulnerabilities have been identified in Moodle prior to 
        2.6.2, 2.5.5 and 2.4.9. [1 - 10]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        CVE-Pending: "Question strings were not being filtered correctly 
        possibly allowing cross site scripting." [1]
        
        CVE-2014-0127: "It was possible to start a Feedback activity while 
        it was supposed to be closed." [2]
        
        CVE-2014-0122: "Capabilities to chat were being checked at the start
        of a chat, but not during, so changes were not effective 
        immediately. [3]
        
        CVE-2014-0123: "There were missing access checks on Wiki pages 
        allowing students to see pages of other students' individual wikis."
        [4]
        
        CVE-Pending: "Cross site scripting was possible with Flowplayer" [5]
        
        CVE-2014-0124: "Forum and Quiz were showing users' email addresses 
        when settings were supposed to be preventing this." [6]
        
        CVE-2014-0125: "Alias links to items in an Alfresco repository were
        provided with information that would allow someone to impersonate 
        the file owner in Alfresco." [7]
        
        CVE-2014-0126: "There was inadequate session checking when 
        triggering the import of IMS Enterprise identities." [8]
        
        CVE-2014-0129: "It was possible for authenticated users to toggle 
        the visibility of other users' badges." [9]
        
        CVE-Pending: "Assignment web service functions were not correctly 
        cleaning function parameters allowing alteration of assignment grade
        related information." [10]


MITIGATION

        The vendor has stated that these issues have been corrected in versions
        2.6.2, 2.5.5 and 2.4.9. [1 - 10]


REFERENCES

        [1] MSA-14-0004: Incorrect filtering in Quiz
            https://moodle.org/mod/forum/discuss.php?d=256416

        [2] MSA-14-0005: Access issue in Feedback activity
            https://moodle.org/mod/forum/discuss.php?d=256417

        [3] MSA-14-0006: Capability issue in Chat
            https://moodle.org/mod/forum/discuss.php?d=256418

        [4] MSA-14-0007: Access issue in Wiki
            https://moodle.org/mod/forum/discuss.php?d=256419

        [5] MSA-14-0008: Cross site scripting potential in Flowplayer
            https://moodle.org/mod/forum/discuss.php?d=256420

        [6] MSA-14-0009: Identity information leak in Forum and Quiz
            https://moodle.org/mod/forum/discuss.php?d=256421

        [7] MSA-14-0010: Identity information leak in Alfresco Repository
            https://moodle.org/mod/forum/discuss.php?d=256422

        [8] MSA-14-0011: Cross site request forgery potential in IMS enrolments
            https://moodle.org/mod/forum/discuss.php?d=256423

        [9] MSA-14-0012: Access issue in Badges
            https://moodle.org/mod/forum/discuss.php?d=256424

        [10] MSA-14-0013: Unfiltered data used in Assignment web services
             https://moodle.org/mod/forum/discuss.php?d=256425

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUyu3bxLndAQH1ShLAQIQoQ//TYQToedoRlx+bg4Tu+TGOyuBYA5Nt0ss
2dgLYXBoazr9D57dfUNgH9oSqcC+1zZILmL5E917Kev/LFiCRDyiaY2eK5dn4vVy
4Gju2NjLFjO0soc62emvPH5Ibmiq0/aOgzjuoKJKQ6bEExkGOGlFASdmCK3FBguL
WMIsBxe9n+ZUWUiujYLE4QuMwNR6HQYk2/J4m5T0ArPPqBjeN5lZdnKTMoXT3Nt1
QOBTlO7UrhP4i4OvJFNn7918HkG9jHzyALUZudh2mREIU3+eaeWZ/QR3oqyquJW7
ONmyMFAazTj+HPTzzGuU/JtBXEKATeMZmE0SJnr6s/GwZSMqc0NCguN949WlpOVY
/CoXWkkbb6PzuLp/Yjx+7AxUVPNWVsbJzshvIgvAP2R1CgvT2jWZM6OoabP2ipb+
kYAUA4hZDsXm+61ZZ65E5i9AEMp1QFATGlQnWjHfCOix448ThnoQ2wF/P7jh1pUx
LrUkp7VLGVu0N8GJxAK4al5ntniRA5xDVl7vo4flF/LP9PcY4W6I5Q2zXv8DBlrI
LuyEwjcfUoWFSOG9C2FD68vvjZZZom0yKHyZJaGuzn9irWoPoEnIvvlY/hzNVTu4
fQaQNW5QV/2UgXXB6XejWoKkWv30mxLHJ+v2lWz0A6OcP5po3IHM3b1FM4KGG+Dp
LZYKWAP7Lek=
=HzNS
-----END PGP SIGNATURE-----