Debian Security Advisory
DSA-2115-1 moodle -- several vulnerabilities
- Date Reported:
- 29 Sep 2010
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2010-1613, CVE-2010-1614, CVE-2010-1615, CVE-2010-1616, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619, CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231.
- More information:
Several remote vulnerabilities have been discovered in Moodle, a course management system. The Common Vulnerabilities and Exposures project identifies the following problems:
Moodle does not enable the
Regenerate session id during loginsetting by default, which makes it easier for remote attackers to conduct session fixation attacks.
Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified global search forms in the Global Search Engine.
Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2)
data validation in some forms elementsrelated to lib/form/selectgroups.php.
Moodle can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.
user/view.php does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page.
A Cross-site scripting (XSS) vulnerability in the phpCAS client library allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.
A Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php) allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities.
A Cross-site scripting (XSS) vulnerability in the MNET access-control interface allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username.
Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
The KSES text cleaning filter in lib/weblib.php does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.
A Cross-site request forgery (CSRF) vulnerability in report/overview/report.php in the quiz module allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter.
This security update switches to a new upstream version and requires database updates. After installing the fixed package, you must visit <http://localhost/moodle/admin/> and follow the update instructions.
For the stable distribution (lenny), these problems have been fixed in version 1.8.13-1.
For the unstable distribution (sid), these problems have been fixed in version 1.9.9.dfsg2-1.
We recommend that you upgrade your moodle package.
- Fixed in:
Debian GNU/Linux 5.0 (lenny)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.