Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0137 A number of vulnerabilities have been identified in Moodle prior to 2.8, 2.7.3, 2.6.6 and 2.5.9. 26 November 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-7848 CVE-2014-7847 CVE-2014-7846 CVE-2014-7845 CVE-2014-7838 CVE-2014-7837 CVE-2014-7836 CVE-2014-7835 CVE-2014-7834 CVE-2014-7833 CVE-2014-7832 CVE-2014-7831 CVE-2014-7830 Member content until: Friday, December 26 2014 OVERVIEW A number of vulnerabilities have been identified in Moodle prior to 2.8, 2.7.3, 2.6.6 and 2.5.9. [1 - 15] IMPACT The vendor has provided the following details regarding these vulnerabilities: Unknown CVE: "Without forcing encoding, it was possible that UTF7 characters could be used to force cross-site scripts to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages)." [1] CVE-2014-7830: "Last search string in Feedback module was not escaped in the search input field." [2] CVE-2014-7845: "The word list for temporary password generation was short meaning the pool of possible passwords was not big enough." [3] CVE-2014-7831: "User without capability to view hidden grades could retrieve grades using web services." [4] CVE-2014-7832: "Capability checks in the LTI module only checked access to the course and not to the activity." [5] CVE-2014-7833: "Group-level entries in Database activity module became visible to users in other groups after being edited by a teacher." [6] CVE-2014-7846: "Unprivileged users could access the list of available tags in the system." [7] CVE-2014-7847: "The script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties." [8] CVE-2014-7834: "When using the web service function for Forum discussions, group permissions were not checked." [9] CVE-2014-7848: "By directly accessing an internal file, an unauthenticated user can be shown an error message containing the file system path of the Moodle install." [10] CVE-2014-7835: "If web service with file upload function was available, user could upload XSS file to his profile picture area." [11] CVE-2014-7836: "Two files in the LTI module lacked a session key check potentially allowing cross-site request forgery." [12] CVE-2014-7837: "By tweaking URLs, users who were able to delete pages in at least one Wiki activity in the course were able to delete pages in other Wiki pages in the same course." [13] CVE-2014-7838: "Set tracking script in the Forum module lacked a session key check potentially allowing cross-site request forgery." [14] Unknown CVE: "Session key check was missing on return page in module LTI allowing attacker to include arbitrary message in URL query string." [15] MITIGATION The vendor has stated that these issues have been corrected in versions 2.8, 2.7.3, 2.6.6 and 2.5.9. [1 - 15] REFERENCES [1] MSA-14-0035: Headers not added to some AJAX scripts https://moodle.org/mod/forum/discuss.php?d=275146 [2] MSA-14-0036: XSS in mapcourse script in Feedback module https://moodle.org/mod/forum/discuss.php?d=275147 [3] MSA-14-0037: Weak temporary password generation https://moodle.org/mod/forum/discuss.php?d=275152 [4] MSA-14-0038: Hidden grade information exposed by web services https://moodle.org/mod/forum/discuss.php?d=275153 [5] MSA-14-0039: Insufficient access check in LTI module https://moodle.org/mod/forum/discuss.php?d=275154 [6] MSA-14-0040: Information leak in Database activity module https://moodle.org/mod/forum/discuss.php?d=275155 [7] MSA-14-0041: Lack of capability check in tags list access https://moodle.org/mod/forum/discuss.php?d=275157 [8] MSA-14-0042: Lack of access check in IP lookup functionality https://moodle.org/mod/forum/discuss.php?d=275158 [9] MSA-14-0043: Lack of group check in web service for Forum https://moodle.org/mod/forum/discuss.php?d=275159 [10] MSA-14-0044: Hardware path disclosed in the error message https://moodle.org/mod/forum/discuss.php?d=275160 [11] MSA-14-0045: XSS file upload possible through web service https://moodle.org/mod/forum/discuss.php?d=275161 [12] MSA-14-0046: CSRF in LTI module https://moodle.org/mod/forum/discuss.php?d=275162 [13] MSA-14-0047: Possible data loss in Wiki activity https://moodle.org/mod/forum/discuss.php?d=275163 [14] MSA-14-0048: CSRF in forum tracking toggle https://moodle.org/mod/forum/discuss.php?d=275164 [15] Possible to print arbitrary message to user by modifying URL https://moodle.org/mod/forum/discuss.php?d=275165 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVHVOeRLndAQH1ShLAQLnYg//VLYUZ/WMa8cJEZP9vv2W17QKkLpIOztj 6oSb2RM3YiQXxC4xEpnu4o+KmcfdwE7aF0YzG5Q+Y5l1RxGeCie8qWEBCFQ/GYxA tBxgYOpphwCTSbXYAgX/JugQwrUYjk79L9J/W8tFoOAlqefJQijv2TssxPQy01h+ THv0WdzL76f5QdjIk8d3SI1IjO5DUZQJU9cOt5M3R39Eg0TNsgkMiX+bEKUSLmc9 tDjsbDjeUmSKDJTCcLBH7flUnIVMq9WBVwUBe4nMromjq74z4LdPt4mo4mSZBGh+ CVz9JGQzsajuC0/8+BYH8l1CiWDqAAJjoEjqZYWzPrS5YIHyDCNFPO8QDGuvolyy TLcGnhtRo7sGt1GLOUspeNR2sH2vup4pksqt3Zcw3EhdW4nRgyqHMe9ae1/mlyNq mOfeWQdILLsBeJ3YW9RqPsiUi4a2/1Q6QtF5hg1TUpu9oHONeTmBBTB7jQ4wpZmi xtkqOotVIQkVOVoleUzs8fSeDTdQpXjbwumn2Qbshm3CzABk1/InNq2lRNtW4SI0 m99IL1Wo/3lAFqDgIwjooXSpz+q2zBjsljQ/mVwQFmu46nl/PWM+Sj83qjwWRku6 EVD0XZvI5oiSC9qZBED40wst/LEG6PllWMkgGFG1rN8yni6gfwzI297NJE102TpU 40mfbnrf5VE= =gqhK -----END PGP SIGNATURE-----