======================================================================= MSA-12-0051: File upload size constraint issue Topic: /repository/repository_ajax.php allows you to supply -1 for "maxbytes" and side step moodle file size restrictions Severity/Risk: Minor Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+ Reported by: Andrew Davis Issue no.: MDL-30792 CVE Identifier: CVE-2012-4400 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30792 Description: It was possible for a user to manipulate script parameters to upload a file larger than set limits. ======================================================================= MSA-12-0052: Course topics permission issue Topic: Permissions problems in topic course format Severity/Risk: Minor Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+ Reported by: Alexander Bias Issue no.: MDL-28207 CVE Identifier: 2012-4401 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28207 Description: Users with course editing capabilities, but without permission to show/hide topics and set the current topic were able to complete these actions under certain conditions. ======================================================================= MSA-12-0053: Blog file access issue Topic: 'publishstate' === 'public' Severity/Risk: Minor Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ Reported by: Kyle Decot Issue no.: MDL-34585 CVE Identifier: CVE-2012-4407 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34585 Description: Files embedded as part of a blog were being delivered without checking the publication state properly. ======================================================================= MSA-12-0054: Course reset permission issue Topic: Course reset not protected by proper capability Severity/Risk: Minor Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ Reported by: Rex Lorenzo Issue no.: MDL-34519 CVE Identifier: CVE-2012-4408 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34519 Description: The course reset link was protected by a correct permission but the reset page itself was being checked for a different permission. ======================================================================= MSA-12-0055: Web service access token issue Topic: A web service token allows the user to run functions from any external service, not just those linked to the external service the token is for Severity/Risk: Serious Versions affected: 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ Reported by: Nathan Mares Issue no.: MDL-34368 CVE Identifier: CVE-2012-4402 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34368 Description: Users with permission to access multiple services were able to use a token from one service to access another. ======================================================================= MSA-12-0056: Information leak in drag-and-drop Topic: Information disclosure in yui_combo.php Severity/Risk: Minor Versions affected: 2.3 to 2.3.1+ Reported by: Mark Baseggio Issue no.: MDL-35168 CVE Identifier: CVE-2012-4403 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35168 Description: The drag-and-drop script was responding to bad requests with information that included the full path to scripts on the server.
Thanks to Anthony for bumping to new versions. Please drop the vulnerable versions and we can get rid of this bug.
(In reply to comment #1) > Thanks to Anthony for bumping to new versions. > > Please drop the vulnerable versions and we can get rid of this bug. Done
(In reply to comment #2) > Done Thanks, again! Closing noglsa for ~arch only.
CVE-2012-4408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4408): course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation. CVE-2012-4407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4407): lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication state of blog files, which allows remote attackers to obtain sensitive information by reading a blog entry that references a non-public file. CVE-2012-4403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4403): theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly construct error responses for the drag-and-drop script, which allows remote attackers to obtain the installation path by sending a request for a nonexistent resource and then reading the response. CVE-2012-4402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4402): webservice/lib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly restrict the use of web-service tokens, which allows remote authenticated users to run arbitrary external-service functions via a token intended for only one service. CVE-2012-4401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4401): Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended capability restrictions and perform certain topic changes by leveraging course-editing capabilities. CVE-2012-4400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4400): repository/repository_ajax.php in Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended upload-size restrictions via a -1 value in the maxbytes field.
