Ubuntu 791-1: Moodle vulnerabilities

    Date24 Jun 2009
    CategoryUbuntu
    53
    Posted ByLinuxSecurity Advisories
    Thor Larholm discovered that PHPMailer, as used by Moodle, did not correctly escape email addresses. A local attacker with direct access to the Moodle database could exploit this to execute arbitrary commands as the web server user. (CVE-2007-3215) [More...]
    ===========================================================
    Ubuntu Security Notice USN-791-1              June 24, 2009
    moodle vulnerabilities
    CVE-2007-3215, CVE-2008-4796, CVE-2008-4810, CVE-2008-4811,
    CVE-2008-5153, CVE-2008-5432, CVE-2008-5619, CVE-2008-6124,
    CVE-2009-0499, CVE-2009-0500, CVE-2009-0501, CVE-2009-0502,
    CVE-2009-1171, CVE-2009-1669
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 8.04 LTS
    Ubuntu 8.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 8.04 LTS:
      moodle                          1.8.2-1ubuntu4.2
    
    Ubuntu 8.10:
      moodle                          1.8.2-1.2ubuntu2.1
    
    After a standard system upgrade you need to access the Moodle instance
    and accept the database update to clear any invalid cached data.
    
    Details follow:
    
    Thor Larholm discovered that PHPMailer, as used by Moodle, did not
    correctly escape email addresses.  A local attacker with direct access
    to the Moodle database could exploit this to execute arbitrary commands
    as the web server user. (CVE-2007-3215)
    
    Nigel McNie discovered that fetching https URLs did not correctly escape
    shell meta-characters.  An authenticated remote attacker could execute
    arbitrary commands as the web server user, if curl was installed and
    configured. (CVE-2008-4796, MSA-09-0003)
    
    It was discovered that Smarty (also included in Moodle), did not
    correctly filter certain inputs.  An authenticated remote attacker could
    exploit this to execute arbitrary PHP commands as the web server user.
    (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)
    
    It was discovered that the unused SpellChecker extension in Moodle did not
    correctly handle temporary files.  If the tool had been locally modified,
    it could be made to overwrite arbitrary local files via symlinks.
    (CVE-2008-5153)
    
    Mike Churchward discovered that Moodle did not correctly filter Wiki page
    titles in certain areas.  An authenticated remote attacker could exploit
    this to cause cross-site scripting (XSS), which could be used to modify
    or steal confidential data of other users within the same web domain.
    (CVE-2008-5432, MSA-08-0022)
    
    It was discovered that the HTML sanitizer, "Login as" feature, and logging
    in Moodle did not correctly handle certain inputs.  An authenticated
    remote attacker could exploit this to generate XSS, which could be used
    to modify or steal confidential data of other users within the same
    web domain.  (CVE-2008-5619, CVE-2009-0500, CVE-2009-0502, MSA-08-0026,
    MSA-09-0004, MSA-09-0007)
    
    It was discovered that the HotPot module in Moodle did not correctly
    filter SQL inputs.  An authenticated remote attacker could execute
    arbitrary SQL commands as the moodle database user, leading to a loss
    of privacy or denial of service.  (CVE-2008-6124, MSA-08-0010)
    
    Kevin Madura discovered that the forum actions and messaging settings
    in Moodle were not protected from cross-site request forgery (CSRF).
    If an authenticated user were tricked into visiting a malicious
    website while logged into Moodle, a remote attacker could change the
    user's configurations or forum content.  (CVE-2009-0499, MSA-09-0008,
    MSA-08-0023)
    
    Daniel Cabezas discovered that Moodle would leak usernames from the
    Calendar Export tool.  A remote attacker could gather a list of users,
    leading to a loss of privacy.  (CVE-2009-0501, MSA-09-0006)
    
    Christian Eibl discovered that the TeX filter in Moodle allowed any
    function to be used.  An authenticated remote attacker could post
    a specially crafted TeX formula to execute arbitrary TeX functions,
    potentially reading any file accessible to the web server user, leading
    to a loss of privacy.  (CVE-2009-1171, MSA-09-0009)
    
    Johannes Kuhn discovered that Moodle did not correctly validate user
    permissions when attempting to switch user accounts.  An authenticated
    remote attacker could switch to any other Moodle user, leading to a loss
    of privacy.  (MSA-08-0003)
    
    Hanno Boeck discovered that unconfigured Moodle instances contained
    XSS vulnerabilities.  An unauthenticated remote attacker could exploit
    this to modify or steal confidential data of other users within the same
    web domain.  (MSA-08-0004)
    
    Debbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra
    Montesinos discovered that when users were deleted from Moodle, their
    profiles and avatars were still visible.  An authenticated remote attacker
    could exploit this to store information in profiles even after they were
    removed, leading to spam traffic.  (MSA-08-0015, MSA-09-0001, MSA-09-0002)
    
    Lars Vogdt discovered that Moodle did not correctly filter certain inputs.
    An authenticated remote attacker could exploit this to generate XSS from
    which they could modify or steal confidential data of other users within
    the same web domain.  (MSA-08-0021)
    
    It was discovered that Moodle did not correctly filter inputs for group
    creation, mnet, essay question, HOST param, wiki param, and others.
    An authenticated remote attacker could exploit this to generate XSS
    from which they could modify or steal confidential data of other users
    within the same web domain.  (MDL-9288, MDL-11759, MDL-12079, MDL-12793,
    MDL-14806)
    
    It was discovered that Moodle did not correctly filter SQL inputs when
    performing a restore.  An attacker authenticated as a Moodle administrator
    could execute arbitrary SQL commands as the moodle database user,
    leading to a loss of privacy or denial of service. (MDL-11857)
    
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.2.diff.gz
          Size/MD5:    40258 b0164bfaf9023bc534d2a7b6a8a8c718
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.2.dsc
          Size/MD5:      703 e32f8b5963d5c1a1710073d4e5a88415
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2.orig.tar.gz
          Size/MD5: 10157112 4e6afcfd567571af0638533d157f9181
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.2_all.deb
          Size/MD5:  9292594 967ddb24a756fa4ba683b66835eb734d
    
    Updated packages for Ubuntu 8.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2ubuntu2.1.diff.gz
          Size/MD5:    48171 92c36cd38c72494817858ceefe55db23
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2ubuntu2.1.dsc
          Size/MD5:     1107 f001011ebd7f3ad66fc797a26194393c
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2.orig.tar.gz
          Size/MD5: 10157112 4e6afcfd567571af0638533d157f9181
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2ubuntu2.1_all.deb
          Size/MD5:  9298070 af5fbc6ef05185b6cc3b65f22d49b13e
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.