Bug 575904

Summary: moodle, glpi: XSS vulnerability in embedded phpCAS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:11:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 575905, 575906    
Bug Blocks:    

Description Vincent Danen 2010-03-22 17:03:20 UTC 
An XSS flaw was reported in the phpCAS library [1], where it would not properly sanitize the submitted URL before displaying it on the error page.  This could allow an attacker to insert scripts or other malicious content on the error page.

Both Moodle and gpli embedd the phpCAS library.  The Moodle developers are currently testing the upstream patch for regressions [2] (the bug is currently private).  The upstream bug report has a patch to correct this issue attached.

References:
[1] http://www.ja-sig.org/issues/browse/PHPCAS-52
[2] http://tracker.moodle.org/browse/MDL-21802
Comment 3 Fedora Update System 2010-03-23 07:28:53 UTC 
glpi-0.72.4-2.svn11035.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/glpi-0.72.4-2.svn11035.el5
Comment 4 Fedora Update System 2010-03-23 07:29:08 UTC 
glpi-0.72.4-2.svn11035.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/glpi-0.72.4-2.svn11035.fc11
Comment 5 Fedora Update System 2010-03-23 07:29:29 UTC 
glpi-0.72.4-2.svn11035.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/glpi-0.72.4-2.svn11035.fc12
Comment 6 Fedora Update System 2010-03-23 07:31:09 UTC 
glpi-0.72.4-2.svn11035.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/glpi-0.72.4-2.svn11035.fc13
Comment 7 Fedora Update System 2010-03-23 23:18:08 UTC 
glpi-0.72.4-2.svn11035.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-03-23 23:23:25 UTC 
glpi-0.72.4-2.svn11035.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-03-23 23:40:12 UTC 
glpi-0.72.4-2.svn11035.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-03-24 18:02:00 UTC 
glpi-0.72.4-2.svn11035.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Gwyn Ciesla 2010-03-24 19:23:18 UTC 
I'd really love to patch Moodle, but my Moodle Jira login lacks the requisite permissions.  I've emailed their Jira admins for assistance.
Comment 12 Fedora Update System 2010-03-25 17:17:17 UTC 
moodle-1.9.8-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/moodle-1.9.8-1.fc11
Comment 13 Fedora Update System 2010-03-25 17:17:19 UTC 
moodle-1.9.8-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/moodle-1.9.8-1.fc12
Comment 14 Fedora Update System 2010-03-25 17:17:21 UTC 
moodle-1.9.8-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/moodle-1.9.8-1.fc13
Comment 15 Fedora Update System 2010-03-27 00:54:57 UTC 
moodle-1.9.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-03-27 00:58:16 UTC 
moodle-1.9.8-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2010-04-01 17:17:53 UTC 
moodle-1.9.8-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.