Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0219
Multiple vulnerabilities have been identified in Moodle
19 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moodle
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1999022 CVE-2018-14631 CVE-2018-14630
Member content until: Friday, October 19 2018
OVERVIEW
Multiple vulnerabilities have been identified in Moodle prior to
3.5.2, 3.4.5, 3.3.8 and 3.1.14 [1-3]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"MSA-18-0017: Moodle XML import of ddwtos could lead to intentional
remote code execution
When importing legacy 'drag and drop into text' (ddwtos) type quiz
questions, it was possible to inject and execute PHP code from within
the imported questions, either intentionally or by importing
questions from an untrusted source.
Severity/Risk: Serious
Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and
earlier unsupported versions
Versions fixed: 3.5.2, 3.4.5, 3.3.8 and 3.1.14
Reported by: Johannes Moritz
CVE identifier: CVE-2018-14630
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880
Tracker issue: MDL-62880 Moodle XML import of ddwtos could
lead to intentional remote code execution" [1]
"MSA-18-0018: QuickForm library remote code vulnerability (upstream)
A security vulnerability was reported against QuickForm, a third
party library used by Moodle. Although no attack vector was
identified within our software, Moodle has updated to patched
versions of QuickForm as a precaution.
Severity/Risk: Minor
Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7,
3.1 to 3.1.13 and earlier unsupported versions
Versions fixed: 3.5.2, 3.4.5, 3.3.8 and 3.1.14
Reported by: Dan Marsden
CVE identifier: CVE-2018-1999022 (PEAR HTML_QuickForm)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62947
Tracker issue: MDL-62947 QuickForm library remote code
vulnerability (upstream)" [2]
"MSA-18-0019: Boost theme - blog search GET parameter insufficiently
filtered
The breadcrumb navigation provided by Boost theme when displaying
search results of a blog were insufficiently filtered, which could
result in reflected XSS if a user followed a malicious link containing
JavaScript in the search parameter.
Severity/Risk: Minor
Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7 and
earlier unsupported versions
Versions fixed: 3.5.2, 3.4.5 and 3.3.8
Reported by: Michael Hawkins
Workaround: Use an alternative theme not based upon Boost
until the fix is applied.
CVE identifier: CVE-2018-14631
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62857
Tracker issue: MDL-62857 Boost theme - blog search GET
parameter insufficiently filtered" [3]
MITIGATION
The vendor has stated that these issues have been corrected in
versions 3.5.2, 3.4.5, 3.3.8 and 3.1.14. [1-3]
REFERENCES
[1] MSA-18-0017: Moodle XML import of ddwtos could lead to intentional
remote code execution
https://moodle.org/mod/forum/discuss.php?d=376023
[2] MSA-18-0018: QuickForm library remote code vulnerability (upstream)
https://moodle.org/mod/forum/discuss.php?d=376024
[3] MSA-18-0019: Boost theme - blog search GET parameter insufficiently
filtered
https://moodle.org/mod/forum/discuss.php?d=376025
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW6LFY2aOgq3Tt24GAQhyjRAAiISu5Ls+nQ8XgB5pwekcEMIsTVpb5a/l
corPY0xP7QoQzBYgjLT74PNrlnco4YrqaNHAMf/XwoWvZfPM3yGbg4lQEmb54NJ1
qs3/qa7nbQTvLjYWmQGJCw2WGZEErAq5zcmb2H3kANhox5i5YqUbGshatWBn0Uva
DvyyYEOaKdNfo8o9NyzikwUx7kaq7fi7QZB69MRN0Hc0yc9t3xGtUBPRmpGeM2Uh
VB2xNJ/ZBu7Tvcsz2Uj45d56DMGg4MYI93QNXg02PAsGsMEHgjKMYDoaLTWeH3HS
fUU0hF8DN033s9ODTqfwXDaeR5tjZbYvnxvMRnym7JHkHM6L3EyBSE+PaghSRdx3
/b5RofBYrjn+PBSUUyUYSxdDVve0DD+tcwqYc9SirALIrJ432D5tgmXvdgY7YWyV
VY4EoTmFrFVb8jt4+4FiBCgnC2r8Hkhb+MgkG8CxPl2wwn09v35kKDEPHro3//fi
WjLDc8FzznFso5hhzf28pLrBKkk5wXvuuGfOILSVV/4rLXdfbZ1/PBHkOOfEcoZp
sUD70w/guudz6hg7MdzSXUPkKgtl/+pAan1do+8frS2k60qjwkoyVC287VwoP1My
fOtaNe7djHtK3ynF9p8f+DyjvhDlMie2M2CH2S+qp77DVrzYS80AAjNaPaZtaUGc
kHGNM/o3yHw=
=iNJ5
-----END PGP SIGNATURE-----