Bug 1186782 (CVE-2015-1493)

Summary: CVE-2015-1493 moodle: Directory Traversal Attack possible through some files serving JS (MSA-15-0009)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jrusnack, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Moodle 2.8.3, 2.7.5 and 2.6.8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 15:37:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1190119    
Bug Blocks: 1186783    

Description Vasyl Kaigorodov 2015-01-28 14:25:31 UTC 
Upstream reports:

Parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS are affected but especially vulnerable are Windows servers
Reported by:       Emiel Florijn
Issue no.:         MDL-48980
Workaround:        Prevent access to URLs containing "../" or "..\" in web server configuration
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980
Comment 1 Vasyl Kaigorodov 2015-02-06 11:46:31 UTC 
Created moodle tracking bugs for this issue:

Affects: fedora-all [bug 1190119]
Comment 2 Kurt Seifried 2015-02-13 21:56:00 UTC 
Upstream reference: https://moodle.org/mod/forum/discuss.php?d=279956
Comment 3 Kurt Seifried 2015-07-16 01:21:49 UTC 
Mitigation:

Prevent access to URLs containing "../" or "..\" in web server configuration