Operating System:

[WIN][UNIX/Linux]

Published:

21 May 2014

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ASB-2014.0062 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0062
        A number of vulnerabilities have been identified in Moodle
              prior to 2.7, 2.6.3, 2.5.6 and 2.4.10. [1 - 6]
                                21 May 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Moodle
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Cross-site Request Forgery -- Remote with User Interaction
                      Cross-site Scripting       -- Remote with User Interaction
                      Access Confidential Data   -- Remote/Unauthenticated      
                      Unauthorised Access        -- Remote/Unauthenticated      
                      Reduced Security           -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-0218 CVE-2014-0217 CVE-2014-0216
                      CVE-2014-0215 CVE-2014-0214 CVE-2014-0213
Member content until: Friday, June 20 2014

OVERVIEW

        A number of vulnerabilities have been identified in Moodle prior to
        2.7, 2.6.3, 2.5.6 and 2.4.10. [1 - 6]


IMPACT

        The vendor has provided the following details regarding 
        these vulnerabilities:
        
        CVE-2014-0213:"Cross-site request forgery possible in Assignment." [1]
        
        CVE-2014-0214:"Web service token expiry issue for MoodleMobile." [2]
        
        CVE-2014-0215:"Anonymous student identity revealed in assignment." [3]
        
        CVE-2014-0216:"File access issue in HTML block." [4]
        
        CVE-2014-0217:"Information leak in courses." [5]
        
        CVE-2014-0218:"Reflected XSS in URL downloader repository." [6]


MITIGATION

        The vendor has stated that these issues have been corrected in 
        versions 2.7, 2.6.3, 2.5.6 and 2.4.10. [1 - 6]


REFERENCES

        [1] MSA-14-0014: Cross-site request forgery possible in Assignment
            https://moodle.org/mod/forum/discuss.php?d=260361

        [2] MSA-14-0015: Web service token expiry issue for MoodleMobile
            https://moodle.org/mod/forum/discuss.php?d=260362

        [3] MSA-14-0016: Anonymous student identity revealed in assignment
            https://moodle.org/mod/forum/discuss.php?d=260363

        [4] MSA-14-0017: File access issue in HTML block
            https://moodle.org/mod/forum/discuss.php?d=260364

        [5] MSA-14-0018: Information leak in courses
            https://moodle.org/mod/forum/discuss.php?d=260365

        [6] MSA-14-0019: Reflected XSS in URL downloader repository
            https://moodle.org/mod/forum/discuss.php?d=260366

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU3xDEhLndAQH1ShLAQLJGA/9HrG5mSk9U+wnHWCQvsgpo62ikbLjOlSR
BdFa+csdRnBqk8Nfs8IKkk7RLl/sOHFNZNzSTlpZuqXoPqhMk6XM7Eb7vAEi85D5
k5JJ/Nlbwb3nR2BnCFm0jdHszi0oS2sURRCr74IpoYwu7/LDOmn03yZp681PN56v
i2D1F8u7rZi2ihXk/gkNm0BJYo6eQeqjNGLu/BT7+a4ozRvMVS/nvSUTUnG28Vlc
T28k/qC9QreiFzo6gxtNwLPnW3jWWq7qkYtxjWJ+4ppGOMumMJRYkfTwQHXTEXyY
TF1EMvdqILrLHh19JiwStEEDD7o6lVwRSOGxc+dqQcCtc8CDnTYL9+btMVkYfaGU
c7CgGj6tw5bAK01ipJM56reVHJZpZBXnTd1nC1acV3Ix4TtV+69O+1knPz1XK5Ly
CXcSq14BjUKdXef+nYVgm2Qbc96vGy984H1MYt7l2FIDGCTEX1C4jXSGjheY211K
/tjCNvYqfxD2n64KWcGWZgjLoPqg8pMJfe8UAZboKAlgi3zOHFVMvRlHIXMRyHL0
num6MlJxGg88tBVFbHe7fGQEiyHKfq1+vJtgZ+pY1plR8n+T7wo2dgSRxBJIYp6/
CYbcbRubLGjcgAZdfrFMs1b/5ea+jAXukydNAfnDgxibSM3ezQnFnPm5mCU/K6fC
1UfirH4nuPs=
=SQXT
-----END PGP SIGNATURE-----