Bug 454246 - (CVE-2008-1502) CVE-2008-1502 moodle: KSES related XSS issue
CVE-2008-1502 moodle: KSES related XSS issue
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=osssecurity,reported=20080706,...
: Security
Depends On: 454247
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-07 03:28 EDT by Tomas Hoger
Modified: 2016-03-04 06:49 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-09 02:51:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-07 03:28:14 EDT
Quoting Moodle security advisory MSA-08-0008:

During internal code review performed by Allegro.pl, some weaknesses were
discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses
are part of many popular projects, including WordPress, Moodle, Drupal,
eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from
cross-site scripting to code execution, depending on implementation.

[...]

There is a new option "Use HTML Purifier" in 1.9, it uses a different
whitelisting technique which is considered to be much safer than KSES.

Upstream advisory:
http://moodle.org/mod/forum/discuss.php?d=95031

Fixed upstream in: 1.8.5, 1.9

Upstream patches (1.8.x CVS branch):
http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.12.3&r2=1.3.12.4
http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.99&r2=1.812.2.100

F-9 and Rawhide are already using 1.9.  F-8 should probably be updated to 1.8.5
or patches above can be applied.
Comment 2 Fedora Update System 2008-07-07 10:38:52 EDT
moodle-1.8.5-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-07-08 22:49:58 EDT
moodle-1.8.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Red Hat Product Security 2008-07-09 02:51:24 EDT
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6226


Note You need to log in before you can comment on or make changes to this bug.