Bug 857901 (CVE-2012-4402, CVE-2012-4403)

Summary: CVE-2012-4402 CVE-2012-4403 Moodle web service access token issue - (MSA-12-0055)
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync, jlieskov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 2.3.2, moodle 2.2.5, moodle 2.1.8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-21 20:55:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 857981, 857983, 857984    
Bug Blocks:    

Description Prasad Pandit 2012-09-17 12:51:41 UTC 
A service token validation issue was found in the Moodle Course Management
System.

Users with permission to access multiple services were able to use a token
from one service to access another. An attacker could use this flaw,
in an unauthorized way, to access content of an external service.

Moodle versions 2.3 to 2.3.1, 2.2 to 2.2.4+, 2.1 to 2.1.7+ were found to be
vulnerable.

This issue is fixed upstream.
-> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34368
Comment 1 Prasad Pandit 2012-09-17 14:53:15 UTC 
This issue affects the version of the moodle package as shipped with the Fedora release 16 and 17. Please schedule an update.

--
This issue affects the version of the moodle package as shipped with the Fedora EPEL-6 release. Please schedule an update.

--
This issue did NOT affect the version of the moodle package as shipped with the Fedora EPEL-5 release.
Comment 2 Gwyn Ciesla 2012-09-17 16:19:03 UTC 
Update in progress, not linked to any BZ, none assigned to me.
Comment 3 Prasad Pandit 2012-09-17 16:33:50 UTC 
The oss-security post[1] also mentions - CVE-2012-4403 - as below:

===
MSA-12-0056: Information leak in drag-and-drop

Topic:             Information disclosure in yui_combo.php
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.1+
Reported by:       Mark Baseggio
Issue no.:         MDL-35168
CVE Identifier:    CVE-2012-4403
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35168
Description:
The drag-and-drop script was responding to bad requests with
information that included the full path to scripts on the server.
===

None of the Fedora or EPEL versions of moodle package are vulnerable to this flaw. Because the flaw gives away absolute file paths via variable ($contentfile). This variable is not present in any of the Fedora or EPEL versions of the moodle package. 

 F17 -> moodle-2.2.4-1.fc17.noarch.rpm
 F16 -> moodle-2.0.10-1.fc16.noarch.rpm
 Fedora EPEL-6 -> moodle-2.1.7-1.el6.noarch.rpm
 Fedora EPEL-5 -> moodle-1.8.13-4.el5.noarch.rpm

[1] http://www.openwall.com/lists/oss-security/2012/09/17/1
[2] http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=a2bdf3401754815e45b8be5199c0db09eceefffd
Comment 4 Prasad Pandit 2012-09-17 16:49:53 UTC 
Created moodle tracking bugs for this issue

Affects: fedora-17 [bug 857981]
Comment 5 Prasad Pandit 2012-09-17 16:52:42 UTC 
Created moodle tracking bugs for this issue

Affects: fedora-16 [bug 857983]
Comment 6 Prasad Pandit 2012-09-17 16:54:40 UTC 
Created moodle tracking bugs for this issue

Affects: epel-6 [bug 857984]