Bug 878121 (CVE-2012-5471, CVE-2012-5472, CVE-2012-5473, CVE-2012-5479, CVE-2012-5480, CVE-2012-5481) - moodle: Various security issues fixed in upstream 2.3.3, 2.2.6 and 2.1.9 versions (MSA-12-0057, MSA-12-0058, MSA-12-0059, MSA-12-0060, MSA-12-0061, MSA-12-0062, MSA-12-0063)
Summary: moodle: Various security issues fixed in upstream 2.3.3, 2.2.6 and 2.1.9 vers...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5471, CVE-2012-5472, CVE-2012-5473, CVE-2012-5479, CVE-2012-5480, CVE-2012-5481
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 878132 878133
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-19 17:17 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:58 UTC (History)
1 user (show)

Fixed In Version: Moodle 2.3.3, Moodle 2.2.6, Moodle 2.1.9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-21 20:53:19 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-11-19 17:17:00 UTC
Moodle upstream has released 2.3.3, 2.2.6 and 2.1.9 version:
[1] http://docs.moodle.org/dev/Moodle_2.3.3_release_notes
[2] http://docs.moodle.org/dev/Moodle_2.2.6_release_notes
[3] http://docs.moodle.org/dev/Moodle_2.1.9_release_notes

correcting multiple security issues:
[4] http://www.openwall.com/lists/oss-security/2012/11/19/1

More from [4]:
=======================================================================
MSA-12-0057: Access issue through repository

Topic:             User B is able to see and use Dropbox of User A
                    within Dropbox Repository File Picker
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Alexander Bias
Issue no.:         MDL-29872, MDL-36366
CVE Identifier:    CVE-2012-5471
Workaround:        Turn off Dropbox repository
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872
Description:
Users who logged out of Dropbox through the Moodle repository were
disconnected in Moodle, but the user's access to Dropbox was still
allowed while their browser session continued.

=======================================================================
MSA-12-0058: Possible form data manipulation issue

Topic:             add setConstant() for hardfreeze element
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+
Reported by:       Rossiani Wijaya
Issue no.:         MDL-32785
CVE Identifier:    CVE-2012-5472
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785
Description:
Frozen form elements were open to manipulation when form data was
submitted.

=======================================================================
MSA-12-0059: Information leak in Database activity module

Topic:             Members of seperate groups can see Database activity
                    entries for other groups
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Richard Meyer
Issue no.:         MDL-34448
CVE Identifier:    CVE-2012-5473
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448
Description:
Within the Database activity module, when separate groups were used,
members of one group were able to see entries created by members of
another group by completing an advanced search.

=======================================================================
MSA-12-0060: Cross-site scripting vulnerability in YUI2

Topic:             yui2 swf vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
                    1.9 to 1.9.18+
Reported by:       Petr �koda, Jenny Donnelly
Issue no.:         MDL-36346
CVE Identifier:    CVE-2012-5475
Workaround:        Delete YUI SWF files
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
A XSS vulnerability has been discovered in some YUI 2 .swf files from
versions 2.4.0 through 2.9.0. This defect allows JavaScript injection
exploits to be created against domains that host affected YUI .swf
files.

=======================================================================
MSA-12-0061: Remote code execution through Portfolio API

Topic:             Portfolio plugin: Local File Inclusion (LFI) and the
                    possibility of Remote Command Execution (RCE).
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Cristobal Leiva
Issue no.:         MDL-33791
CVE Identifier:    CVE-2012-5479
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
It was possible, when Moodle data is stored within the Web accessible
directory, to manipulate the Portfolio API callbacks to execute a file
uploaded by a user.

=======================================================================
MSA-12-0062: Information leak in Database activity module

Topic:             Any user (including a guest) can view entries in
                    database activity when more entries are required
                    before viewing other participants entries
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Tabitha Roder
Issue no.:         MDL-35558
CVE Identifier:    CVE-2012-5480
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558
Description:
The setting requiring that a number of entries be posted to a Database
activity before others' entries could be viewed could be circumvented
using an advanced search.

=======================================================================
MSA-12-0063: Information leak in Check Permissions page

Topic:             Check Permissions page displays entire user base
                    without moodle/role:manage capability
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+
Reported by:       Jody Steele
Issue no.:         MDL-35381
CVE Identifier:    CVE-2012-5481
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381
Description:
The Check Permissions page was allowing non-admin users to see the
capabilities of all users, not just users in a course/category.

Comment 1 Jan Lieskovsky 2012-11-19 17:28:39 UTC
The table of affected moodle package versions (based on review of provided upstream patches if they would be applicable) as shipped with Fedora release of 16, 17, Fedora EPEL 6, and Fedora EPEL 5 is as follows:

[Legend: A = Affected, NA = Not Affected]

                  |  F-17 | F-16/EPEL-6 | EPEL-5 |
--------------------------------------------------
| CVE-2012-5471   |   A   |     A       |  NA    |
| CVE-2012-5472   |   A   |     A       |   A    |
| CVE-2012-5473   |   A   |     A       |   A    |
| CVE-2012-5475   |   A[*]|     A[*]    |   A[*] |
| CVE-2012-5479   |   A   |     A       |   A    |
| CVE-2012-5480   |   A   |     A       |   A    |
| CVE-2012-5481   |   A   |     A       |  NA    |
--------------------------------------------------

[*] Based on: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5475 the CVE-2012-5475 identifier has been rejected (in favour of CVE-2012-5881, CVE-2012-5882, CVE-2012-5883) => that being the reason CVE-2012-5475 not used in alias field of this bug.

Comment 2 Jan Lieskovsky 2012-11-19 17:30:53 UTC
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 878132]
Affects: epel-all [bug 878133]


Note You need to log in before you can comment on or make changes to this bug.