Bug 484916 (CVE-2009-0499)

Summary: CVE-2009-0499 moodle: CSRF vuln in forum code
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0499
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-19 08:02:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 484917, 484918, 484919, 484920, 484921    
Bug Blocks:    

Description Vincent Danen 2009-02-10 18:05:57 UTC
Name: CVE-2009-0499
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0499
Assigned: 20090209
Reference: MLIST:[oss-security] 20090204 CVS request - Moodle
Reference: URL: http://www.openwall.com/lists/oss-security/2009/02/04/1
Reference: CONFIRM: http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.14&r2=1.154.2.15
Reference: CONFIRM: http://moodle.org/security/

Cross-site request forgery (CSRF) vulnerability in the forum code in
Moodle 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows
remote attackers to delete unauthorized forum posts via a link or IMG
tag to post.php.


Additional information from upstream (http://moodle.org/security/)

MSA-09-0008: CSRF vulnerability in forum code
Versions affected:       < 1.9.4, < 1.8.8, < 1.7.7 
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.14&r2=1.154.2.15
http://cvs.moodle.org/moodle/mod/forum/prune.html?r1=1.8&r2=1.8.4.1
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.15&r2=1.154.2.16

Comment 1 Vincent Danen 2009-02-10 18:06:38 UTC
Created moodle tracking bugs for this issue

CVE-2009-0499 Affects: F10 [bug #484917]
CVE-2009-0499 Affects: F9 [bug #484918]
CVE-2009-0499 Affects: Fdevel [bug #484919]
CVE-2009-0499 Affects: epel-4 [bug #484920]
CVE-2009-0499 Affects: epel-5 [bug #484921]

Comment 2 Red Hat Product Security 2009-02-19 08:02:29 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2009-1699
  https://admin.fedoraproject.org/updates/F9/FEDORA-2009-1641