857901 – (CVE-2012-4402, CVE-2012-4403) CVE-2012-4402 CVE-2012-4403 Moodle web service access token issue - (MSA-12-0055)

Bug 857901 (CVE-2012-4402, CVE-2012-4403) - CVE-2012-4402 CVE-2012-4403 Moodle web service access token issue - (MSA-12-0055)

Summary: CVE-2012-4402 CVE-2012-4403 Moodle web service access token issue - (MSA-12-0...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-4402, CVE-2012-4403
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	857981 857983 857984
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-17 12:51 UTC by Prasad Pandit
Modified:	2019-09-29 12:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:	moodle 2.3.2, moodle 2.2.5, moodle 2.1.8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-21 20:55:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Prasad Pandit 2012-09-17 12:51:41 UTC

A service token validation issue was found in the Moodle Course Management
System.

Users with permission to access multiple services were able to use a token
from one service to access another. An attacker could use this flaw,
in an unauthorized way, to access content of an external service.

Moodle versions 2.3 to 2.3.1, 2.2 to 2.2.4+, 2.1 to 2.1.7+ were found to be
vulnerable.

This issue is fixed upstream.
-> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34368

Comment 1 Prasad Pandit 2012-09-17 14:53:15 UTC

This issue affects the version of the moodle package as shipped with the Fedora release 16 and 17. Please schedule an update.

--
This issue affects the version of the moodle package as shipped with the Fedora EPEL-6 release. Please schedule an update.

--
This issue did NOT affect the version of the moodle package as shipped with the Fedora EPEL-5 release.

Comment 2 Gwyn Ciesla 2012-09-17 16:19:03 UTC

Update in progress, not linked to any BZ, none assigned to me.

Comment 3 Prasad Pandit 2012-09-17 16:33:50 UTC

The oss-security post[1] also mentions - CVE-2012-4403 - as below:

===
MSA-12-0056: Information leak in drag-and-drop

Topic:             Information disclosure in yui_combo.php
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.1+
Reported by:       Mark Baseggio
Issue no.:         MDL-35168
CVE Identifier:    CVE-2012-4403
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35168
Description:
The drag-and-drop script was responding to bad requests with
information that included the full path to scripts on the server.
===

None of the Fedora or EPEL versions of moodle package are vulnerable to this flaw. Because the flaw gives away absolute file paths via variable ($contentfile). This variable is not present in any of the Fedora or EPEL versions of the moodle package. 

 F17 -> moodle-2.2.4-1.fc17.noarch.rpm
 F16 -> moodle-2.0.10-1.fc16.noarch.rpm
 Fedora EPEL-6 -> moodle-2.1.7-1.el6.noarch.rpm
 Fedora EPEL-5 -> moodle-1.8.13-4.el5.noarch.rpm

[1] http://www.openwall.com/lists/oss-security/2012/09/17/1
[2] http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=a2bdf3401754815e45b8be5199c0db09eceefffd

Comment 4 Prasad Pandit 2012-09-17 16:49:53 UTC

Created moodle tracking bugs for this issue

Affects: fedora-17 [bug 857981]

Comment 5 Prasad Pandit 2012-09-17 16:52:42 UTC

Created moodle tracking bugs for this issue

Affects: fedora-16 [bug 857983]

Comment 6 Prasad Pandit 2012-09-17 16:54:40 UTC

Created moodle tracking bugs for this issue

Affects: epel-6 [bug 857984]

Note You need to log in before you can comment on or make changes to this bug.