Debian Security Advisory

DSA-2421-1 moodle -- several vulnerabilities

Date Reported:
29 Feb 2012
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2011-4308, CVE-2011-4584, CVE-2011-4585, CVE-2011-4586, CVE-2011-4587, CVE-2011-4588, CVE-2012-0792, CVE-2012-0793, CVE-2012-0794, CVE-2012-0795, CVE-2012-0796.
More information:

Several security issues have been fixed in Moodle, a course management system for online learning:

  • CVE-2011-4308 / CVE-2012-0792

    Rossiani Wijaya discovered an information leak in mod/forum/user.php.

  • CVE-2011-4584

    MNet authentication didn't prevent a user using Login as from jumping to a remove MNet SSO.

  • CVE-2011-4585

    Darragh Enright discovered that the change password form was send in over plain HTTP even if httpslogin was set to true.

  • CVE-2011-4586

    David Michael Evans and German Sanchez Gances discovered CRLF injection/HTTP response splitting vulnerabilities in the Calendar module.

  • CVE-2011-4587

    Stephen Mc Guiness discovered empty passwords could be entered in some circumstances.

  • CVE-2011-4588

    Patrick McNeill discovered that IP address restrictions could be bypassed in MNet.

  • CVE-2012-0796

    Simon Coggins discovered that additional information could be injected into mail headers.

  • CVE-2012-0795

    John Ehringer discovered that email addresses were insufficiently validated.

  • CVE-2012-0794

    Rajesh Taneja discovered that cookie encryption used a fixed key.

  • CVE-2012-0793

    Eloy Lafuente discovered that profile images were insufficiently protected. A new configuration option forceloginforprofileimages was introduced for that.

For the stable distribution (squeeze), this problem has been fixed in version 1.9.9.dfsg2-2.1+squeeze3.

For the unstable distribution (sid), this problem has been fixed in version 1.9.9.dfsg2-5.

We recommend that you upgrade your moodle packages.