Bug 454246 (CVE-2008-1502)

Summary: CVE-2008-1502 moodle: KSES related XSS issue
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-09 06:51:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 454247    
Bug Blocks:    

Description Tomas Hoger 2008-07-07 07:28:14 UTC 
Quoting Moodle security advisory MSA-08-0008:

During internal code review performed by Allegro.pl, some weaknesses were
discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses
are part of many popular projects, including WordPress, Moodle, Drupal,
eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from
cross-site scripting to code execution, depending on implementation.

[...]

There is a new option "Use HTML Purifier" in 1.9, it uses a different
whitelisting technique which is considered to be much safer than KSES.

Upstream advisory:
http://moodle.org/mod/forum/discuss.php?d=95031

Fixed upstream in: 1.8.5, 1.9

Upstream patches (1.8.x CVS branch):
http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.12.3&r2=1.3.12.4
http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.99&r2=1.812.2.100

F-9 and Rawhide are already using 1.9.  F-8 should probably be updated to 1.8.5
or patches above can be applied.
Comment 2 Fedora Update System 2008-07-07 14:38:52 UTC 
moodle-1.8.5-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-07-09 02:49:58 UTC 
moodle-1.8.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Red Hat Product Security 2008-07-09 06:51:24 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6226