Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0089 A number of vulnerabilities have been identified in Moodle prior to 2.7.1, 2.6.4, 2.5.7 and 2.4.11. 28 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2014-3553 CVE-2014-3552 CVE-2014-3551 CVE-2014-3550 CVE-2014-3549 CVE-2014-3548 CVE-2014-3547 CVE-2014-3546 CVE-2014-3545 CVE-2014-3544 CVE-2014-3543 CVE-2014-3542 CVE-2014-3541 Member content until: Wednesday, August 27 2014 OVERVIEW A number of vulnerabilities have been identified in Moodle prior to 2.7.1, 2.6.4, 2.5.7 and 2.4.11. [1 - 13] IMPACT The vendor has provided the following details regarding these vulnerabilities: "CVE-2014-3552: Shibboleth was allowing empty session IDs and confusing sessions when more than one instance was associated with an empty ID." [1] "CVE-2014-3541: Serialised data passed by repositories could potentially contain objects defined by add-ons that could include executable code." [2] "CVE-2014-3542: It was possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files." [3] "CVE-2014-3543: It was possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files." [4] "CVE-2014-3544: Filtering of the Skype profile field was not removing potentially harmful code." [5] "CVE-2014-3545: It was possible to inject code into Calculated questions that would be executed on the server." [6] "CVE-2014-3546: It was possible to get limited user information, such as user name and courses, by manipulating the URL of profile and notes pages." [7] "CVE-2014-3553: Forum was allowing users who were members of more than one group to post to all groups without the capability to access all groups." [8] "CVE-2014-3547: The details of badges from external sources were not being filtered." [9] "CVE-2014-3548: Content of exception dialogues presented from AJAX calls was not being escaped before being presented to users." [10] "CVE-2014-3549: Log entries of failed login attempts were not filtered correctly." [11] "CVE-2014-3550: Error messages generated by scheduled tasks were being presented to admins without correct filtering." [12] "CVE-2014-3551: Fields in rubrics were not being correctly filtered" [13] MITIGATION The vendor has stated that these issues have been corrected in versions 2.7.1, 2.6.4, 2.5.7 and 2.4.11. [1 - 13] REFERENCES [1] MSA-14-0020: Identity confusion in Shibboleth authentication https://moodle.org/mod/forum/discuss.php?d=264261 [2] MSA-14-0021: Code injection in Repositories https://moodle.org/mod/forum/discuss.php?d=264262 [3] MSA-14-0022: XML External Entity vulnerability in LTI module https://moodle.org/mod/forum/discuss.php?d=264263 [4] MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP https://moodle.org/mod/forum/discuss.php?d=264264 [5] MSA-14-0024: Cross-site scripting vulnerability in profile field https://moodle.org/mod/forum/discuss.php?d=264265 [6] MSA-14-0025: Remote code execution in Quiz https://moodle.org/mod/forum/discuss.php?d=264266 [7] MSA-14-0026: Information leak in profile and notes pages https://moodle.org/mod/forum/discuss.php?d=264267 [8] MSA-14-0027: Forum group posting issue https://moodle.org/mod/forum/discuss.php?d=264268 [9] MSA-14-0028: Cross-site scripting possible in external badges https://moodle.org/mod/forum/discuss.php?d=264269 [10] MSA-14-0029: Cross-site scripting vulnerability in exception dialogues https://moodle.org/mod/forum/discuss.php?d=264270 [11] MSA-14-0030: Cross-site scripting through logs of failed logins https://moodle.org/mod/forum/discuss.php?d=264271 [12] MSA-14-0031: Cross-site scripting though scheduled task error messages https://moodle.org/mod/forum/discuss.php?d=264272 [13] MSA-14-0032: Cross-site scripting in advanced grading methods https://moodle.org/mod/forum/discuss.php?d=264273 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU9XHaBLndAQH1ShLAQJ2pRAAj5EvQ7YUKM2f+g3cbu/5i33YsCFK2uq1 9LSDyqHtooAV0gIrGDoUcrf7/t1B94gKYFpEXTwcI/gJ847rh8Fxooi/jMvcfjNh +J+V10Xkch8MiJ0GrXnE4Trr5SsTNE9jr5/VADebt7u4P6UUKpea2OBfx0Nspdg9 4yk41Q3KuXcKAdJz26217CIReUqLcyurDfd8cX7i2sYJkKC4+30uuxmTT6ngByTT lV/OV5Vsk3rQ2PdBmJTaWqk0/XUfkBlFNhRVQu+NniL5voHCrCgOQgnFTFO93EgG suZiy/5ESd2Xgpd5R9WvXkacb6ZGpu1giFIWgId5gLd18ykVQfBFOYOMSE9x0sfh S1kBmrAsNOOlQd7I3lo8sZ1kw8hEYrJWmxmZh/UB2MZVOT3S2yDvhICh4Q1qH+LS YdzlrxlUlv7f8udIolDIEMy4aWCjeUopfpx4gRscHivN+CwaUkAMZc8LtIUvQ4gC 9K7b0Xl0+J+fNMJF6qfKAfV/cC2fVjuFSCGiF8hZvZi7YpUXgmF7iiTGNaIAx93r Vj7s5eNJDHA+Lx3bYrgcCq3mtsG8hJaF7cpHycy+0eE92vPtAh0HIGlykb3oUPud YiyA3Y1Y5Wm2Y1XZJBCNUpsTWJM6EgWwCK7XbdHpU8Bc5T9DgI8bB5BoxU1Xt/my GOU05WNGMCQ= =WprD -----END PGP SIGNATURE-----