Bug 454246 (CVE-2008-1502) - CVE-2008-1502 moodle: KSES related XSS issue
Summary: CVE-2008-1502 moodle: KSES related XSS issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1502
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 454247
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-07 07:28 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-09 06:51:24 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-07-07 07:28:14 UTC
Quoting Moodle security advisory MSA-08-0008:

During internal code review performed by Allegro.pl, some weaknesses were
discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses
are part of many popular projects, including WordPress, Moodle, Drupal,
eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from
cross-site scripting to code execution, depending on implementation.

[...]

There is a new option "Use HTML Purifier" in 1.9, it uses a different
whitelisting technique which is considered to be much safer than KSES.

Upstream advisory:
http://moodle.org/mod/forum/discuss.php?d=95031

Fixed upstream in: 1.8.5, 1.9

Upstream patches (1.8.x CVS branch):
http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.12.3&r2=1.3.12.4
http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.99&r2=1.812.2.100

F-9 and Rawhide are already using 1.9.  F-8 should probably be updated to 1.8.5
or patches above can be applied.

Comment 2 Fedora Update System 2008-07-07 14:38:52 UTC
moodle-1.8.5-1.fc8 has been submitted as an update for Fedora 8

Comment 3 Fedora Update System 2008-07-09 02:49:58 UTC
moodle-1.8.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Red Hat Product Security 2008-07-09 06:51:24 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6226




Note You need to log in before you can comment on or make changes to this bug.