Moodle announces more security issues. By sending out this "advance security notice" of known exploits to registered Moodle sites before the security fixes and "press release" it's clear that Moodle does not fully appreciate the state of web security today. Literally thousands of web systems exploiters are already targeting school based Moodle php/mysql sites! A great many links to moodle hacking are available: http://www.pakbugs.com/exploits/1667-moodle-1-6-9-1-7-7-1-8-9-1-9-5-file-disclosure-vulnerability.html Note the verbiage below requesting that the "secret" continue to be held by not forwarding this on? We did some cracking of moodle during a HackFest also, 8 months ago, where these and other holes were trivial to exploit. ---------- Forwarded message ---------- From: martin@moodle.com Date: Mon, 26 Oct 2009 12:30:37 +0800 Subject: [securityalerts] New Moodle releases 1.9.6 and 1.8.10: Security fixes To: securityalerts@lists.moodle.org Hello Moodle Admins, You are getting this email because you subscribed to the Moodle security alerts list when you registered your Moodle site. (Thanks for registering, by the way!) I'm writing to give you some advance notice of two minor new releases - Moodle 1.9.6 and Moodle 1.8.10 - which will be announced publically at the end of this week. Since there are some security fixes we recommend that you upgrade your Moodle site as soon as you can to keep your sites safe. The releases are available, as always, from our downloads page or any CVS mirror. http://moodle.org/downloads Here are the release notes: http://docs.moodle.org/en/Moodle_1.9.6_release_notes http://docs.moodle.org/en/Moodle_1.8.10_release_notes Apart from a range of bug fixes and small improvements, six security vulnerabilities (1 critical, 1 major and 4 minor) have been discovered and fixed since Moodle 1.9.5. (Thanks as usual to the reporters and to Petr Skoda for his tireless and excellent work defending all our Moodle sites). There are no reported exploits yet, and they do not affect all sites, but we still recommend that you upgrade your sites to these latest versions as soon as possible (or otherwise ensure that these issues are not active in your site). Attached below is more information about the six security issues. PLEASE DO NOT PUBLISH INFORMATION OF THESE ISSUES ON THE INTERNET YET! Give your fellow Moodle admins some time to upgrade first. We'll publish full details in the security news section on Friday October 30: http://moodle.org/security Also, please do not reply to me via email. This mailing list goes out to nearly 60,000 people - I usually get about 1000 direct replies which I can't deal with :) If you need help with upgrading or anything else please see http://moodle.org/support or contact your web host. Cheers and thank you for using Moodle! (We are still working hard on 2.0!) Martin Dougiamas, Moodle Founder and Lead Developer ========================= MSA-09-0019: SQL injection in update_record Topic: SQL injection in update_record Severity: Critical Versions affected: <1.9.6, <1.8.10, 1.7.x Reported by: Georg-Christian Pranschke Issue no.: MDL-20309 Solution: upgrade to latest weekly builds or 1.8.10 or 1.9.6 Workaround: none Description: Georg-Christian Pranschke discovered a serious problem in the update_record function. This problem may allow any registered user to exploit several different scripts. ========================= MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6 Topic: Customised PhpMyAdmin upgraded to 2.11.9.6 Severity: Major Versions affected: all Reported by: upstream - PMASA-2009-6; CVE-2009-3696 and CVE-2009-3697 Issue no.: MDL-20553 Solution: Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs Workaround: delete admin/mysql/* See details at http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php ========================= MSA-09-0016: Email not properly escaped on user edit page Topic: Email not properly escaped on user edit page Severity: Minor Versions affected: <1.9.6 Reported by: Alan Trick Issue no.: MDL-20295 Solution: upgrade to latest weekly build or 1.8.10 or 1.9.6 Workaround: disable email change confirmation (not recommended) Description: Alan Trick discovered that the email change confirmation code does not escape the email addresses properly. This problem is marked as minor because the email address is validated and can not contain an arbitrary text. ========================= MSA-09-0017: Upgrade code 1.9 does not escape tags properly Topic: Upgrade to 1.9 from earlier versions does not escape tags properly Severity: Minor Versions affected: <1.9.6 Reported by: Matt Oquist Issue no.: MDL-19709 Solution: do not use 1.9.0-1.9.5 when upgrading from any previous version Description: The upgrade code does not properly escape tags properly when upgrading from any version before 1.9.0. ========================= MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type Topic: Incorrect escaping when updating first post in a single simple discussion forum type Severity: Minor Versions affected: <1.9.6, <1.8.10 Reported by: Nicola Vitacolonna Issue no.: MDL-20555 Solution: upgrade to latest weekly builds or 1.8.10 or 1.9.6 Workaround: none Description: Nicola Vitacolonna discovered forum introduction is incorrectly escaped when editing the first post of a single simple discussion forum. This can potentially lead to SQL injection attacks by teachers. Students can not exploit this problem. ========================= MSA-09-0020: Teachers can view students' grades in all courses in the overview report Topic: Teachers can view students' grades in all courses in the overview report Severity: Minor Versions affected: <1.9.6 Reported by: Ratana Lim Issue no.: MDL-20355 Solution: upgrade to latest weekly builds or 1.9.6 Workaround: remove the overview report link - see http://docs.moodle.org/en/Simplifying_the_gradebook Description: Teachers could view students' grades in all courses, including courses for which they do not have teacher rights, in the overview report. ========================= -- Skype: (623)239-3392 AT&T: (503)754-4452 www.obnosis.com