FAQ+Moodle+Security

SECURITY ISSUES

As well as a long list of bug fixes, performance improvements and polishing, there are 9 security issues you should be aware of.

To avoid leaving your site vulnerable we highly recommend you upgrade your sites to the latest Moodle version as soon as you can.

If you cannot upgrade then please check the following list carefully and implement the provided workarounds or patches.

Thanks as always to EVERYONE involved in reporting and fixing security issues for all their hard work. It really is a team effort and one with more and more people involved all the time.

Cheers and thanks for using Moodle!

=
=============================================== MSA-11-0018: Lacking capability controls over cohorts

Topic: Cohort enrol plugin capability problems and missing cohort access control Severity/Risk: Minor Versions affected: < 2.0.4, < 2.1.1 (1.9.x not affected) Reported by: Petr Škoda Issue no.: MDL-28462 Solution: upgrade to 2.0.4 or 2.1.1 Workaround: Avoid using cohorts

Description: In order to securely control the creation and oversight of cohorts, additional capabilities have been introduced.

=
=============================================== MSA-11-0019: Themes writing to files outside Moodle data directory

Topic: Theme cache folder Severity/Risk: Minor Versions affected: < 2.0.4, < 2.1.1 (1.9.x not affected) Reported by: Matthew Davidson Issue no.: MDL-28147 Solution: upgrade to 2.0.4 or 2.1.1 Workaround: apply Git patch

Description: When caching is incorrectly controlled by a theme, there was the potential for writing to a file system's temporary directory.

=
=============================================== MSA-11-0020: Continue links in error messages can lead offsite

Topic: Continuation link can sometimes link offsite Severity/Risk: Minor Versions affected: < 1.9.13, < 2.0.4, < 2.1.1 Reported by: Matt Meisberger Issue no.: MDL-27464 Solution: upgrade to latest version Workaround: apply patch

Description: It was possible for error message links to lead offsite

=
=============================================== MSA-11-0021: Role assignment web service function not following restrictions

Topic: moodle_enrol_external:role_assign does not obey role assignment restrictions Severity/Risk: Minor Versions affected: < 2.0.4, < 2.1.1 (1.9.x not affected) Reported by: Petr Škoda Issue no.: MDL-28350 Solution: upgrade to 2.0.4 or 2.1.1 Workaround: avoid using web services

Description: Not all roles may be assigned by everybody in all contexts, but this was not being checked

=
=============================================== MSA-11-0022: Course creators could change filters at course level

Topic: Course creator role has incorrect default permissions Severity/Risk: Minor Versions affected: < 2.0.4, < 2.1.1 (1.9.x not affected) Reported by: Ray Lawrence Issue no.: MDL-27994 Solution: Manually alter permissions in older sites to remove rights from course creators

Description: The default permission for course creators allowed them to alter course filters, which was an issue for users with mixed roles

=
=============================================== MSA-11-0023: Guests can add comments to front page activities

Topic: Guests can add comments to front page activities Severity/Risk: Serious Versions affected: < 2.0.4, < 2.1.1 (1.9.x not affected) Reported by: Helen Foster Issue no.: MDL-28503 Solution: upgrade to 2.0.4 or 2.1.1 Workaround: Avoid adding comment blocks to pages accessible by guests

Description: With this ability it was possible for users who were not logged in to post comments.

=
=============================================== MSA-11-0024: Recaptcha images were being authenticated from an older server

Topic: Recaptcha is still authenticating to old servers on Moodle 1.9 Severity/Risk: Minor Versions affected: < 1.9.13 (2.x not affected) Reported by: Ryan Charpentier Issue no.: MDL-27889 Solution: upgrade to 1.9.13 Workaround: manually change URL to "[]"

Description: Moodle is still trying to connect to the old Recaptcha servers. Since Google has purchased Recaptcha, this server has changed.

=
=============================================== MSA-11-0025: Group names in user upload CSV not being escaped

Topic: SQL injection vulnerability in user upload Severity/Risk: Serious Versions affected: < 1.9.13 (2.x not affected) Reported by: Matt Meisberger Issue no.: MDL-28197 Solution: upgrade to 1.9.13 Workaround: Escape quotes in user upload CSV files

Description: When uploading a CSV file with group names that contain quotes, this could throw off SQL processing. This is only exploitable by admins, but could accidentally lead to DB corruption

=
=============================================== MSA-11-0026: Fields in user upload CSV not being escaped

Topic: Flat file enrollments has various sql injection vulnerabilities Severity/Risk: Serious Versions affected: < 1.9.13 (2.x not affected) Reported by: Matt Meisberger Issue nos.: MDL-28360 Solution: upgrade to 1.9.13 Workaround: Escape quotes in user upload CSV files

Description: When uploading a CSV files with fields containing quotes, this could throw off SQL processing. This is only exploitable by admins, but could accidentally lead to DB corruption