SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Moodle Vendors:   moodle.org
Moodle Bugs Let Remote Users Obtain Potentially Sensitive Information and Bypass Security Controls
SecurityTracker Alert ID:  1030839
SecurityTracker URL:  http://securitytracker.com/id/1030839
CVE Reference:   CVE-2014-3617, CVE-2014-4172   (Links to External Site)
Date:  Sep 15 2014
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5 to 2.5.7, 2.6 to 2.6.4, 2.7 to 2.7.1
Description:   Two vulnerabilities were reported in Moodle. A remote user can obtain potentially sensitive information. A remote user can bypass security restrictions.

A remote user that has not posted a answer in a Q&A forum (required to access past posts) can exploit a flaw in '/mod/forum/view.php' to view the name of the last user that has posted [CVE-2014-3617].

Amanda Doughty reported this vulnerability.

A remote user can inject URL parameters to exploit a flaw in the third-party CAS library (phpCAS) and bypass security controls or potentially gain elevated privileges [CVE-2014-4172].

Eric Merrill reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information.

A remote user can bypass security restrictions and potentially gain elevated privileges.

Solution:   The vendor has issued a fix (2.7.2, 2.6.5, 2.5.8).

[Editor's note: No fix will be available for CVE-2014-4172 for version 2.5.]

The vendor's advisory is available at:

moodle.org/security/

Vendor URL:  moodle.org/security/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] Moodle security notifications public

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0033: URL parameter injection in CAS authentication

Description:       A flaw in the third-party CAS library, utilised by
                    Moodle, has been found, which could potentially
                    allow unauthorised access and privilege escalation.
Issue summary:     Upgrade phpCAS to 1.3.3 or greater - security
                    vulnerabilities
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier
                    unsupported versions
Versions fixed:    2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not
                    possible. CAS users with Moodle 2.5 or earlier are
                    encouraged to upgrade to a more recent release.)
Reported by:       Eric Merrill
Issue no.:         MDL-46766
CVE identifier:    CVE-2014-4172
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766

=======================================================================
MSA-14-0034: Identity information revealed early in Q&A forum

Description:       Users who had not yet posted the required answer in
                    a Q&A forum in order to access past posts were able
                    to see the name of the last person who had posted.
Issue summary:     Other authors are visible in /mod/forum/view.php
                    before student has posted their own answer.
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier
                    unsupported versions
Versions fixed:    2.7.2, 2.6.5 and 2.5.8
Reported by:       Amanda Doughty
Issue no.:         MDL-46619
CVE identifier:    CVE-2014-3617
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619

=======================================================================
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC