Operating System:

[WIN][UNIX/Linux]

Published:

28 July 2014

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ASB-2014.0089 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0089
        A number of vulnerabilities have been identified in Moodle
                 prior to 2.7.1, 2.6.4, 2.5.7 and 2.4.11.
                               28 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Moodle
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Remote/Unauthenticated      
                      Unauthorised Access             -- Remote/Unauthenticated      
                      Reduced Security                -- Unknown/Unspecified         
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-3553 CVE-2014-3552 CVE-2014-3551
                      CVE-2014-3550 CVE-2014-3549 CVE-2014-3548
                      CVE-2014-3547 CVE-2014-3546 CVE-2014-3545
                      CVE-2014-3544 CVE-2014-3543 CVE-2014-3542
                      CVE-2014-3541  
Member content until: Wednesday, August 27 2014

OVERVIEW

        A number of vulnerabilities have been identified in Moodle prior to
        2.7.1, 2.6.4, 2.5.7 and 2.4.11. [1 - 13]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "CVE-2014-3552: Shibboleth was allowing empty session IDs and 
        confusing sessions when more than one instance was associated with 
        an empty ID." [1]
        
        "CVE-2014-3541: Serialised data passed by repositories could 
        potentially contain objects defined by add-ons that could include 
        executable code." [2]
        
        "CVE-2014-3542: It was possible for manipulated XML files passed 
        from LTI servers to be interpreted by Moodle to allow access to 
        server-side files." [3]
        
        "CVE-2014-3543: It was possible for manipulated XML files to be 
        uploaded to the IMSCC course format or the IMSCP resource to allow 
        access to server-side files." [4]
        
        "CVE-2014-3544: Filtering of the Skype profile field was not 
        removing potentially harmful code." [5]
        
        "CVE-2014-3545: It was possible to inject code into Calculated 
        questions that would be executed on the server." [6]
        
        "CVE-2014-3546: It was possible to get limited user information, 
        such as user name and courses, by manipulating the URL of profile 
        and notes pages." [7]
        
        "CVE-2014-3553: Forum was allowing users who were members of more 
        than one group to post to all groups without the capability to 
        access all groups." [8]
        
        "CVE-2014-3547: The details of badges from external sources were not
        being filtered." [9]
        
        "CVE-2014-3548: Content of exception dialogues presented from AJAX 
        calls was not being escaped before being presented to users." [10]
        
        "CVE-2014-3549: Log entries of failed login attempts were not 
        filtered correctly." [11]
        
        "CVE-2014-3550: Error messages generated by scheduled tasks were 
        being presented to admins without correct filtering." [12]
        
        "CVE-2014-3551: Fields in rubrics were not being correctly filtered"
        [13]


MITIGATION

        The vendor has stated that these issues have been corrected in 
        versions 2.7.1, 2.6.4, 2.5.7 and 2.4.11. [1 - 13]


REFERENCES

        [1] MSA-14-0020: Identity confusion in Shibboleth authentication
            https://moodle.org/mod/forum/discuss.php?d=264261

        [2] MSA-14-0021: Code injection in Repositories
            https://moodle.org/mod/forum/discuss.php?d=264262

        [3] MSA-14-0022: XML External Entity vulnerability in LTI module
            https://moodle.org/mod/forum/discuss.php?d=264263

        [4] MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP
            https://moodle.org/mod/forum/discuss.php?d=264264

        [5] MSA-14-0024: Cross-site scripting vulnerability in profile field
            https://moodle.org/mod/forum/discuss.php?d=264265

        [6] MSA-14-0025: Remote code execution in Quiz
            https://moodle.org/mod/forum/discuss.php?d=264266

        [7] MSA-14-0026: Information leak in profile and notes pages
            https://moodle.org/mod/forum/discuss.php?d=264267

        [8] MSA-14-0027: Forum group posting issue
            https://moodle.org/mod/forum/discuss.php?d=264268

        [9] MSA-14-0028: Cross-site scripting possible in external badges
            https://moodle.org/mod/forum/discuss.php?d=264269

        [10] MSA-14-0029: Cross-site scripting vulnerability in exception
             dialogues
             https://moodle.org/mod/forum/discuss.php?d=264270

        [11] MSA-14-0030: Cross-site scripting through logs of failed logins
             https://moodle.org/mod/forum/discuss.php?d=264271

        [12] MSA-14-0031: Cross-site scripting though scheduled task error
             messages
             https://moodle.org/mod/forum/discuss.php?d=264272

        [13] MSA-14-0032: Cross-site scripting in advanced grading methods
             https://moodle.org/mod/forum/discuss.php?d=264273

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU9XHaBLndAQH1ShLAQJ2pRAAj5EvQ7YUKM2f+g3cbu/5i33YsCFK2uq1
9LSDyqHtooAV0gIrGDoUcrf7/t1B94gKYFpEXTwcI/gJ847rh8Fxooi/jMvcfjNh
+J+V10Xkch8MiJ0GrXnE4Trr5SsTNE9jr5/VADebt7u4P6UUKpea2OBfx0Nspdg9
4yk41Q3KuXcKAdJz26217CIReUqLcyurDfd8cX7i2sYJkKC4+30uuxmTT6ngByTT
lV/OV5Vsk3rQ2PdBmJTaWqk0/XUfkBlFNhRVQu+NniL5voHCrCgOQgnFTFO93EgG
suZiy/5ESd2Xgpd5R9WvXkacb6ZGpu1giFIWgId5gLd18ykVQfBFOYOMSE9x0sfh
S1kBmrAsNOOlQd7I3lo8sZ1kw8hEYrJWmxmZh/UB2MZVOT3S2yDvhICh4Q1qH+LS
YdzlrxlUlv7f8udIolDIEMy4aWCjeUopfpx4gRscHivN+CwaUkAMZc8LtIUvQ4gC
9K7b0Xl0+J+fNMJF6qfKAfV/cC2fVjuFSCGiF8hZvZi7YpUXgmF7iiTGNaIAx93r
Vj7s5eNJDHA+Lx3bYrgcCq3mtsG8hJaF7cpHycy+0eE92vPtAh0HIGlykb3oUPud
YiyA3Y1Y5Wm2Y1XZJBCNUpsTWJM6EgWwCK7XbdHpU8Bc5T9DgI8bB5BoxU1Xt/my
GOU05WNGMCQ=
=WprD
-----END PGP SIGNATURE-----