OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] [USN-791-1] Moodle vulnerabilities

From: Kees Cook (keesubuntu.com)
Date: Wed Jun 24 2009 - 15:00:21 CDT


===========================================================
Ubuntu Security Notice USN-791-1 June 24, 2009
moodle vulnerabilities
CVE-2007-3215, CVE-2008-4796, CVE-2008-4810, CVE-2008-4811,
CVE-2008-5153, CVE-2008-5432, CVE-2008-5619, CVE-2008-6124,
CVE-2009-0499, CVE-2009-0500, CVE-2009-0501, CVE-2009-0502,
CVE-2009-1171, CVE-2009-1669
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  moodle 1.8.2-1ubuntu4.2

Ubuntu 8.10:
  moodle 1.8.2-1.2ubuntu2.1

After a standard system upgrade you need to access the Moodle instance
and accept the database update to clear any invalid cached data.

Details follow:

Thor Larholm discovered that PHPMailer, as used by Moodle, did not
correctly escape email addresses. A local attacker with direct access
to the Moodle database could exploit this to execute arbitrary commands
as the web server user. (CVE-2007-3215)

Nigel McNie discovered that fetching https URLs did not correctly escape
shell meta-characters. An authenticated remote attacker could execute
arbitrary commands as the web server user, if curl was installed and
configured. (CVE-2008-4796, MSA-09-0003)

It was discovered that Smarty (also included in Moodle), did not
correctly filter certain inputs. An authenticated remote attacker could
exploit this to execute arbitrary PHP commands as the web server user.
(CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)

It was discovered that the unused SpellChecker extension in Moodle did not
correctly handle temporary files. If the tool had been locally modified,
it could be made to overwrite arbitrary local files via symlinks.
(CVE-2008-5153)

Mike Churchward discovered that Moodle did not correctly filter Wiki page
titles in certain areas. An authenticated remote attacker could exploit
this to cause cross-site scripting (XSS), which could be used to modify
or steal confidential data of other users within the same web domain.
(CVE-2008-5432, MSA-08-0022)

It was discovered that the HTML sanitizer, "Login as" feature, and logging
in Moodle did not correctly handle certain inputs. An authenticated
remote attacker could exploit this to generate XSS, which could be used
to modify or steal confidential data of other users within the same
web domain. (CVE-2008-5619, CVE-2009-0500, CVE-2009-0502, MSA-08-0026,
MSA-09-0004, MSA-09-0007)

It was discovered that the HotPot module in Moodle did not correctly
filter SQL inputs. An authenticated remote attacker could execute
arbitrary SQL commands as the moodle database user, leading to a loss
of privacy or denial of service. (CVE-2008-6124, MSA-08-0010)

Kevin Madura discovered that the forum actions and messaging settings
in Moodle were not protected from cross-site request forgery (CSRF).
If an authenticated user were tricked into visiting a malicious
website while logged into Moodle, a remote attacker could change the
user's configurations or forum content. (CVE-2009-0499, MSA-09-0008,
MSA-08-0023)

Daniel Cabezas discovered that Moodle would leak usernames from the
Calendar Export tool. A remote attacker could gather a list of users,
leading to a loss of privacy. (CVE-2009-0501, MSA-09-0006)

Christian Eibl discovered that the TeX filter in Moodle allowed any
function to be used. An authenticated remote attacker could post
a specially crafted TeX formula to execute arbitrary TeX functions,
potentially reading any file accessible to the web server user, leading
to a loss of privacy. (CVE-2009-1171, MSA-09-0009)

Johannes Kuhn discovered that Moodle did not correctly validate user
permissions when attempting to switch user accounts. An authenticated
remote attacker could switch to any other Moodle user, leading to a loss
of privacy. (MSA-08-0003)

Hanno Boeck discovered that unconfigured Moodle instances contained
XSS vulnerabilities. An unauthenticated remote attacker could exploit
this to modify or steal confidential data of other users within the same
web domain. (MSA-08-0004)

Debbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra
Montesinos discovered that when users were deleted from Moodle, their
profiles and avatars were still visible. An authenticated remote attacker
could exploit this to store information in profiles even after they were
removed, leading to spam traffic. (MSA-08-0015, MSA-09-0001, MSA-09-0002)

Lars Vogdt discovered that Moodle did not correctly filter certain inputs.
An authenticated remote attacker could exploit this to generate XSS from
which they could modify or steal confidential data of other users within
the same web domain. (MSA-08-0021)

It was discovered that Moodle did not correctly filter inputs for group
creation, mnet, essay question, HOST param, wiki param, and others.
An authenticated remote attacker could exploit this to generate XSS
from which they could modify or steal confidential data of other users
within the same web domain. (MDL-9288, MDL-11759, MDL-12079, MDL-12793,
MDL-14806)

It was discovered that Moodle did not correctly filter SQL inputs when
performing a restore. An attacker authenticated as a Moodle administrator
could execute arbitrary SQL commands as the moodle database user,
leading to a loss of privacy or denial of service. (MDL-11857)

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.2.diff.gz
      Size/MD5: 40258 b0164bfaf9023bc534d2a7b6a8a8c718
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.2.dsc
      Size/MD5: 703 e32f8b5963d5c1a1710073d4e5a88415
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2.orig.tar.gz
      Size/MD5: 10157112 4e6afcfd567571af0638533d157f9181

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.2_all.deb
      Size/MD5: 9292594 967ddb24a756fa4ba683b66835eb734d

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2ubuntu2.1.diff.gz
      Size/MD5: 48171 92c36cd38c72494817858ceefe55db23
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2ubuntu2.1.dsc
      Size/MD5: 1107 f001011ebd7f3ad66fc797a26194393c
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2.orig.tar.gz
      Size/MD5: 10157112 4e6afcfd567571af0638533d157f9181

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2ubuntu2.1_all.deb
      Size/MD5: 9298070 af5fbc6ef05185b6cc3b65f22d49b13e

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpChdUACgkQH/9LqRcGPm3fswCfauL0POHA4o4toNxCLlAehDpv
WqoAnRofmSzg/E5wWhetgSbKL0AeyfNF
=dr2N
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/