Bug 857902 - (CVE-2012-4401) CVE-2012-4401 moodle: Course topics permission issue (MSA-12-0052)
CVE-2012-4401 moodle: Course topics permission issue (MSA-12-0052)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120917,reported=2...
: Security
Depends On: 857981
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-17 08:53 EDT by Jan Lieskovsky
Modified: 2013-01-21 15:55 EST (History)
1 user (show)

See Also:
Fixed In Version: moodle 2.3.2, moodle 2.2.5, moodle 2.1.8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-21 15:55:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-09-17 08:53:08 EDT
A security flaw was found in the way Moodle course management system performed user permissions validation by course topic management. A remote attackers, with course editing capabilities, but without ability to show / hide topics or set the current topic for a particular course could use this flaw to successfully complete these actions under certain circumstances.

Upstream patch:
[1] http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28207

References:
[2] http://www.openwall.com/lists/oss-security/2012/09/17/1
Comment 1 Jan Lieskovsky 2012-09-17 09:31:40 EDT
This issue affects the version of the moodle package, as shipped with Fedora release of 17 (the upstream course/view.php patch part is applicable).

--

This issue did NOT affect the version of the moodle package, as shipped with Fedora release of 16.

This issue did NOT affect the versions of the moodle package, as shipped with Fedora EPEL 5 and 6.
Comment 2 Gwyn Ciesla 2012-09-17 12:18:57 EDT
Update in progress, not linked to any BZ, none assigned to me.
Comment 3 Prasad J Pandit 2012-09-17 12:48:33 EDT
Created moodle tracking bugs for this issue

Affects: fedora-17 [bug 857981]

Note You need to log in before you can comment on or make changes to this bug.