-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0137
        A number of vulnerabilities have been identified in Moodle
                   prior to 2.8, 2.7.3, 2.6.6 and 2.5.9.
                             26 November 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Moodle
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Cross-site Request Forgery -- Remote with User Interaction
                      Cross-site Scripting       -- Remote with User Interaction
                      Access Confidential Data   -- Remote/Unauthenticated      
                      Unauthorised Access        -- Existing Account            
                      Reduced Security           -- Existing Account            
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-7848 CVE-2014-7847 CVE-2014-7846
                      CVE-2014-7845 CVE-2014-7838 CVE-2014-7837
                      CVE-2014-7836 CVE-2014-7835 CVE-2014-7834
                      CVE-2014-7833 CVE-2014-7832 CVE-2014-7831
                      CVE-2014-7830  
Member content until: Friday, December 26 2014

OVERVIEW

        A number of vulnerabilities have been identified in Moodle prior to
        2.8, 2.7.3, 2.6.6 and 2.5.9. [1 - 15]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        Unknown CVE: "Without forcing encoding, it was possible that UTF7 
        characters could be used to force cross-site scripts to AJAX scripts
        (although this is unlikely on modern browsers and on most Moodle 
        pages)." [1]
        
        CVE-2014-7830: "Last search string in Feedback module was not 
        escaped in the search input field." [2]
        
        CVE-2014-7845: "The word list for temporary password generation was
        short meaning the pool of possible passwords was not big enough." 
        [3]
        
        CVE-2014-7831: "User without capability to view hidden grades could
        retrieve grades using web services." [4]
        
        CVE-2014-7832: "Capability checks in the LTI module only checked 
        access to the course and not to the activity." [5]
        
        CVE-2014-7833: "Group-level entries in Database activity module 
        became visible to users in other groups after being edited by a 
        teacher." [6]
        
        CVE-2014-7846: "Unprivileged users could access the list of 
        available tags in the system." [7]
        
        CVE-2014-7847: "The script used to geo-map IP addresses was 
        available to unauthenticated users increasing server load when used
        by other parties." [8]
        
        CVE-2014-7834: "When using the web service function for Forum 
        discussions, group permissions were not checked." [9]
        
        CVE-2014-7848: "By directly accessing an internal file, an 
        unauthenticated user can be shown an error message containing the 
        file system path of the Moodle install." [10]
        
        CVE-2014-7835: "If web service with file upload function was 
        available, user could upload XSS file to his profile picture area."
        [11]
        
        CVE-2014-7836: "Two files in the LTI module lacked a session key 
        check potentially allowing cross-site request forgery." [12]
        
        CVE-2014-7837: "By tweaking URLs, users who were able to delete 
        pages in at least one Wiki activity in the course were able to 
        delete pages in other Wiki pages in the same course." [13]
        
        CVE-2014-7838: "Set tracking script in the Forum module lacked a 
        session key check potentially allowing cross-site request forgery."
        [14]
        
        Unknown CVE: "Session key check was missing on return page in module
        LTI allowing attacker to include arbitrary message in URL query 
        string." [15]


MITIGATION

        The vendor has stated that these issues have been corrected in 
        versions 2.8, 2.7.3, 2.6.6 and 2.5.9. [1 - 15]


REFERENCES

        [1] MSA-14-0035: Headers not added to some AJAX scripts
            https://moodle.org/mod/forum/discuss.php?d=275146

        [2] MSA-14-0036: XSS in mapcourse script in Feedback module
            https://moodle.org/mod/forum/discuss.php?d=275147

        [3] MSA-14-0037: Weak temporary password generation
            https://moodle.org/mod/forum/discuss.php?d=275152

        [4] MSA-14-0038: Hidden grade information exposed by web services
            https://moodle.org/mod/forum/discuss.php?d=275153

        [5] MSA-14-0039: Insufficient access check in LTI module
            https://moodle.org/mod/forum/discuss.php?d=275154

        [6] MSA-14-0040: Information leak in Database activity module
            https://moodle.org/mod/forum/discuss.php?d=275155

        [7] MSA-14-0041: Lack of capability check in tags list access
            https://moodle.org/mod/forum/discuss.php?d=275157

        [8] MSA-14-0042: Lack of access check in IP lookup functionality
            https://moodle.org/mod/forum/discuss.php?d=275158

        [9] MSA-14-0043: Lack of group check in web service for Forum
            https://moodle.org/mod/forum/discuss.php?d=275159

        [10] MSA-14-0044: Hardware path disclosed in the error message
             https://moodle.org/mod/forum/discuss.php?d=275160

        [11] MSA-14-0045: XSS file upload possible through web service
             https://moodle.org/mod/forum/discuss.php?d=275161

        [12] MSA-14-0046: CSRF in LTI module
             https://moodle.org/mod/forum/discuss.php?d=275162

        [13] MSA-14-0047: Possible data loss in Wiki activity
             https://moodle.org/mod/forum/discuss.php?d=275163

        [14] MSA-14-0048: CSRF in forum tracking toggle
             https://moodle.org/mod/forum/discuss.php?d=275164

        [15] Possible to print arbitrary message to user by modifying URL
             https://moodle.org/mod/forum/discuss.php?d=275165

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVHVOeRLndAQH1ShLAQLnYg//VLYUZ/WMa8cJEZP9vv2W17QKkLpIOztj
6oSb2RM3YiQXxC4xEpnu4o+KmcfdwE7aF0YzG5Q+Y5l1RxGeCie8qWEBCFQ/GYxA
tBxgYOpphwCTSbXYAgX/JugQwrUYjk79L9J/W8tFoOAlqefJQijv2TssxPQy01h+
THv0WdzL76f5QdjIk8d3SI1IjO5DUZQJU9cOt5M3R39Eg0TNsgkMiX+bEKUSLmc9
tDjsbDjeUmSKDJTCcLBH7flUnIVMq9WBVwUBe4nMromjq74z4LdPt4mo4mSZBGh+
CVz9JGQzsajuC0/8+BYH8l1CiWDqAAJjoEjqZYWzPrS5YIHyDCNFPO8QDGuvolyy
TLcGnhtRo7sGt1GLOUspeNR2sH2vup4pksqt3Zcw3EhdW4nRgyqHMe9ae1/mlyNq
mOfeWQdILLsBeJ3YW9RqPsiUi4a2/1Q6QtF5hg1TUpu9oHONeTmBBTB7jQ4wpZmi
xtkqOotVIQkVOVoleUzs8fSeDTdQpXjbwumn2Qbshm3CzABk1/InNq2lRNtW4SI0
m99IL1Wo/3lAFqDgIwjooXSpz+q2zBjsljQ/mVwQFmu46nl/PWM+Sj83qjwWRku6
EVD0XZvI5oiSC9qZBED40wst/LEG6PllWMkgGFG1rN8yni6gfwzI297NJE102TpU
40mfbnrf5VE=
=gqhK
-----END PGP SIGNATURE-----