Update or risk your students editing your database. ---------- Forwarded message ---------- From: Date: Sun, May 13, 2012 at 10:50 PM Subject: [securityalerts] URGENT: Moodle 2.2.3, Moodle 2.1.6, 2.0.9 and Moodle 1.9.18 are now available To: securityalerts@lists.moodle.org Hello registered Moodle Admins! (This email is going out to over 82,000 registered Moodle admins. You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you don't want these emails then see the very end of this email for info about unsubscribing. Replies to this email will not be read.) I'm writing today to let you know that Moodle 2.2.3, 2.1.6, 2.0.9 and 1.9.18 are available via the usual download channels (http://download.moodle.org, CVS or Git). Note that Moodle 2.0.9 and 1.9.18 are no longer fully supported. They are supported for security fixes only. The full release notes are here: * http://docs.moodle.org/dev/Moodle_2.2.3_release_notes * http://docs.moodle.org/dev/Moodle_2.1.6_release_notes * http://docs.moodle.org/dev/Moodle_2.0.9_release_notes * http://docs.moodle.org/dev/Moodle_1.9.18_release_notes SECURITY ISSUES As well as a long list of bug fixes, performance improvements and polishing, there are 15 security issues you should be aware of. Details of these security issues are listed below. As a registered Moodle admin we are giving you advance notice of these issues so you have some time to fix them before we publish them more widely on http://moodle.org/security and publicise them in one week. To avoid leaving your site vulnerable we highly recommend you upgrade your sites to the latest Moodle version as soon as you can. If you cannot upgrade then please check the following list carefully and patch your own system or switch off those features. Thanks, as always, to EVERYONE involved in reporting and fixing security issues for all their hard work. It really is a team effort and one with more and more people involved all the time. Thanks for using Moodle! Michael de Raadt Development Manager, Moodle HQ ======================================================================= MSA-12-0024: Hidden information access issue Topic: Data protection issue / Information disclosure by "Settings" -> "Users" -> "Enrolled users" Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Andreas Grupp Issue no.: MDL-31923 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31923 Description: Teachers without appropriate permissions were able see user access information. ======================================================================= MSA-12-0025: Personal communication access issue Topic: "Recent conversations" allows anyone to see anyone else's messages Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Juan Aburto Issue no.: MDL-31834 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=48e03792ca8faa2d781f9ef74606f3b3f0d3baec Description: By manipulating URL parameters, users were able to see others' messages. ======================================================================= MSA-12-0026: Quiz capability issue Topic: When you add a question to the quiz, it does not check the question:use... capability. Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Tim Hunt Issue no.: MDL-32240 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32240 Description: Capabilities were not being correctly checked when adding questions to a quiz. ======================================================================= MSA-12-0027: Question bank capability issues Topic: Various problems with permissions checks in the question bank Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Tim Hunt Issue no.: MDL-32239 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32239 Description: Capabilities were not being correctly checked when working in the question bank. Question authorship was not being checked. Users were shown UI elements when they did not have permission to use them. User permissions were not correctly checked when saving a question. ======================================================================= MSA-12-0028: Insecure authentication issue Topic: CAS Multi-Authentication Does Not Use HTTPS Login Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Chris Follin Workaround: Avoid CAS authentication Issue no.: MDL-32492 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=895e76ea51c462c18ad66e0761ad76cd26a63ecf Description: A page in the CAS Authentication process was using an insecure HTTP URL that, apart from being insecure, sent the user in circles. ======================================================================= MSA-12-0029: Information editing access issue Topic: Students can edit database entries in read only mode Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Amanda Doughty Issue no.: MDL-31811 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31811 Description: Students were able to edit pre-existing Database activity entries after the activity had entered a read-only period. ======================================================================= MSA-12-0030: Capability manipulation issue Topic: Non-editor teacher can exceed teacher permissions: example, backup:userinfo Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Jozas Nhial Issue no.: MDL-32030 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=0f75e1e6272db0303abc8e27362e5c3a1344b82f Description: Non-editing teachers were able to redefine their capabilities to achieve actions they would not normally be able to achieve. ======================================================================= MSA-12-0031: Cross-site scripting vulnerability in Wiki Topic: Injection and XSS vulnerability in wiki through insufficient validation Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, Reported by: Sam Hemelryk Issue no.: MDL-32018 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32018 Description: It was possible to inject unfiltered HTML into a wiki page title. ======================================================================= MSA-12-0032: Cross-site scripting vulnerability in Web services Topic: XSS in /admin/webservice/service.php Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Dan Poltawski Workaround: Avoid Web services Issue no.: MDL-31694 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31694 Description: The name parameter, sent to the Web service script service.php, was not being filtered correctly. ======================================================================= MSA-12-0033: Cross-site scripting vulnerability in Blog Topic: XSS bug in blog/index.php in IE Severity/Risk: Serious Versions affected: 1.9 to 1.9.17+ Reported by: Simon Coggins Issue no.: MDL-31745 Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commit;h=038131c8b5614f18c14d964dc53b6960ae6c30d8 Description: Parameters sent to the Blog module were not sufficiently filtered. This allowed the potential for cross-site scripting in IE ======================================================================= MSA-12-0034: Potential SQL injection issue Topic: Stored SQL Injection in calendar Severity/Risk: Serious Versions affected: 1.9 to 1.9.17+ Reported by: Simon Coggins Issue no.: MDL-31746 Changes (1.9): http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_19_STABLE&st=commit&s=MDL-31746 Description: It was possible to include unfiltered information when adding a calendar event that was stored in the database. ======================================================================= MSA-12-0035: Cross-site scripting vulnerability in "download all" Topic: Content-Type is TEXT/HTML for zip Download instead of application/x-zip-compressed or forced download Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Asaf Ohaion Workaround: Avoid "download all" feature in Assignment Issue no.: MDL-31558 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=ce4126c7a9e07dd0514f7ac297b5e60cad0b8d20 Description: An incorrect mimetype was being reported for zipped assignment submissions, causing some browsers to render the response. The fix for this issue also prevents incorrect use of file sending functions by third-party modules. ======================================================================= MSA-12-0036: Cross-site scripting vulnerability in category identifier Topic: XSS in /cohort/edit.php (POST parameter: idnumber) Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Dan Poltawski Issue no.: MDL-31691 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31691 Description: The idnumber field, an arbitrary unique identifier for a category, was able to be entered without being filtered. ======================================================================= MSA-12-0037: Write access issue in Database activity module Topic: It's possible for any user to overwrite site wide database presets Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Dan Poltawski Issue no.: MDL-31763 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31763 Description: Users were able to overwrite site-wide Database activity presets created by other users. ======================================================================= MSA-12-0038: Calendar event write permission issue Topic: Calendar New Entry still shows and works for roles preventing calendar entry Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, 1.9 to 1.9.17+ Reported by: Martin Huntley Issue no.: MDL-18335 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-18335 Description: Users without appropriate permissions were able to access the new calendar entry page and create a calendar entry. -- You are receiving this email because you registered a Moodle site with Moodle.org and chose to be added to this low-volume list of security notifications and other important Moodle-related announcements for Moodle administrators. To unsubscribe you can re-register your site (as above) and make sure you turn the email option OFF in the registration form. You can also send a blank email to sympa@lists.moodle.org with "unsubscribe securityalerts" as the subject (from the email address that is subscribed). See http://lists.moodle.org/info/securityalerts for more. -- (503) 754-4452 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** it-clowns.com