Bug 857901 - (CVE-2012-4402, CVE-2012-4403) CVE-2012-4402 CVE-2012-4403 Moodle web service access token issue - (MSA-12-0055)
CVE-2012-4402 CVE-2012-4403 Moodle web service access token issue - (MSA-12-0...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120917,reported=2...
: Security
Depends On: 857981 857983 857984
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-17 08:51 EDT by Prasad J Pandit
Modified: 2015-07-31 02:53 EDT (History)
2 users (show)

See Also:
Fixed In Version: moodle 2.3.2, moodle 2.2.5, moodle 2.1.8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-21 15:55:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Prasad J Pandit 2012-09-17 08:51:41 EDT
A service token validation issue was found in the Moodle Course Management
System.

Users with permission to access multiple services were able to use a token
from one service to access another. An attacker could use this flaw,
in an unauthorized way, to access content of an external service.

Moodle versions 2.3 to 2.3.1, 2.2 to 2.2.4+, 2.1 to 2.1.7+ were found to be
vulnerable.

This issue is fixed upstream.
-> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34368
Comment 1 Prasad J Pandit 2012-09-17 10:53:15 EDT
This issue affects the version of the moodle package as shipped with the Fedora release 16 and 17. Please schedule an update.

--
This issue affects the version of the moodle package as shipped with the Fedora EPEL-6 release. Please schedule an update.

--
This issue did NOT affect the version of the moodle package as shipped with the Fedora EPEL-5 release.
Comment 2 Gwyn Ciesla 2012-09-17 12:19:03 EDT
Update in progress, not linked to any BZ, none assigned to me.
Comment 3 Prasad J Pandit 2012-09-17 12:33:50 EDT
The oss-security post[1] also mentions - CVE-2012-4403 - as below:

===
MSA-12-0056: Information leak in drag-and-drop

Topic:             Information disclosure in yui_combo.php
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.1+
Reported by:       Mark Baseggio
Issue no.:         MDL-35168
CVE Identifier:    CVE-2012-4403
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35168
Description:
The drag-and-drop script was responding to bad requests with
information that included the full path to scripts on the server.
===

None of the Fedora or EPEL versions of moodle package are vulnerable to this flaw. Because the flaw gives away absolute file paths via variable ($contentfile). This variable is not present in any of the Fedora or EPEL versions of the moodle package. 

 F17 -> moodle-2.2.4-1.fc17.noarch.rpm
 F16 -> moodle-2.0.10-1.fc16.noarch.rpm
 Fedora EPEL-6 -> moodle-2.1.7-1.el6.noarch.rpm
 Fedora EPEL-5 -> moodle-1.8.13-4.el5.noarch.rpm

[1] http://www.openwall.com/lists/oss-security/2012/09/17/1
[2] http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=a2bdf3401754815e45b8be5199c0db09eceefffd
Comment 4 Prasad J Pandit 2012-09-17 12:49:53 EDT
Created moodle tracking bugs for this issue

Affects: fedora-17 [bug 857981]
Comment 5 Prasad J Pandit 2012-09-17 12:52:42 EDT
Created moodle tracking bugs for this issue

Affects: fedora-16 [bug 857983]
Comment 6 Prasad J Pandit 2012-09-17 12:54:40 EDT
Created moodle tracking bugs for this issue

Affects: epel-6 [bug 857984]

Note You need to log in before you can comment on or make changes to this bug.