Moodle Multiple Vulnerabilities
Release Date : 2013-03-25
Criticality level : Less critical
Impact : Cross Site Scripting
Manipulation of data
Exposure of system information
Exposure of sensitive information
Where : From remote
Solution Status: Vendor Patch
Two weaknesses and multiple vulnerabilities have been reported in Moodle, which can be exploited by malicious users to disclose potentially sensitive information, manipulate certain data, and conduct script insertion attacks and by malicious people to disclose potentially sensitive and system information.
1) The application does not properly restrict access to user profiles in user/view.php, which can be exploited to disclose certain profile information.
Successful exploitation of this vulnerability requires the "autologinguests" and "opentogoogle" settings to be enabled (disabled by default).
2) The application displays the full installation path within exception messages.
3) Input passed via the file name when uploading files to File Picker is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
4) An error related to Zend XmlRpc can be exploited to e.g. disclose contents of certain local files by sending specially crafted XML data including external entity references.
5) The application does not properly restrict access to certain repositories when using the "login-as" functionality, which can be exploited to disclose the content of personal repositories of the impersonated user.
Successful exploitation of this vulnerability requires "admin" privileges.
6) The application does not properly restrict access to site-wide WebDav repositories, which can be exploited to e.g. view, edit, and delete an otherwise restricted site-wide WebDav repository.
Successful exploitation of this vulnerability requires permissions to view WebDav repositories.
The weaknesses and the vulnerabilities are reported in versions 2.4 through 2.4.1, 2.3 through 2.3.4, and 2.2 through 2.2.7.
Update to version 2.4.2, 2.4.3, 2.3.5, 2.3.6, 2.2.8, or 2.2.9.
Provided and/or discovered by:
The vendor credits:
1) Helen Foster
2) Mark Nielsen
3, 4, and 6) Frederic Massart
5) Andrew Nicols
Moodle (MSA-13-0012, MSA-13-0013, MSA-13-0015, MSA-13-0016, MSA-13-0018, MSA-13-0019):
Was this reply helpful? (0) (0)