7.5 - DSA-2115

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	New moodle packages fix several vulnerabilities

Informations
Name	DSA-2115	First vendor Publication	2010-09-29
Vendor	Debian	Last vendor Modification	2010-10-11
Severity (Vendor)	N/A	Revision	2

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

DSA-2115-1 introduced a regression because it lacked a dependency on the wwwconfig-common package, leading to installations problems. This update addresses this issue. For reference, the text of the original advisory is provided below.

Several remote vulnerabilities have been discovered in Moodle, a course management system. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2010-1613 Moodle does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks.

CVE-2010-1614 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified global search forms in the Global Search Engine.

CVE-2010-1615 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php.

CVE-2010-1616 Moodle can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.

CVE-2010-1617 user/view.php does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page.

CVE-2010-1618 A Cross-site scripting (XSS) vulnerability in the phpCAS client library allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.

CVE-2010-1619 A Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php) allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities.

CVE-2010-2228 A Cross-site scripting (XSS) vulnerability in the MNET access-control interface allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username.

CVE-2010-2229 Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.

CVE-2010-2230 The KSES text cleaning filter in lib/weblib.php does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

CVE-2010-2231 A Cross-site request forgery (CSRF) vulnerability in report/overview/report.php in the quiz module allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter.

This security update switches to a new upstream version and requires database updates. After installing the fixed package, you must visit and follow the update instructions.

For the stable distribution (lenny), these problems have been fixed in version 1.8.13-2.

For the unstable distribution (sid), these problems have been fixed in version 1.9.9.dfsg2-1.

We recommend that you upgrade your moodle package.

Original Source

Url : http://www.debian.org/security/2010/dsa-2115

CWE : Common Weakness Enumeration

%	Id	Name
60 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
10 %	CWE-352	Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
10 %	CWE-287	Improper Authentication
10 %	CWE-264	Permissions, Privileges, and Access Controls
10 %	CWE-89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11823

Oval ID:	oval:org.mitre.oval:def:11823
Title:	DSA-2115-2 moodle -- several
Description:	DSA-2115-1 introduced a regression because it lacked a dependency on the wwwconfig-common package, leading to installations problems. This update addresses this issue. For reference, the text of the original advisory is provided below. Several remote vulnerabilities have been discovered in Moodle, a course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1613 Moodle does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks. CVE-2010-1614 Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors related to the Login-As feature or when the global search feature is enabled, unspecified global search forms in the Global Search Engine. CVE-2010-1615 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands via vectors related to the add_to_log function in mod/wiki/view.php in the wiki module, or "data validation in some forms elements" related to lib/form/selectgroups.php. CVE-2010-1616 Moodle can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability. CVE-2010-1617 user/view.php does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page. CVE-2010-1618 A Cross-site scripting vulnerability in the phpCAS client library allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message. CVE-2010-1619 A Cross-site scripting vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities. CVE-2010-2228 A Cross-site scripting vulnerability in the MNET access-control interface allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username. CVE-2010-2229 Multiple cross-site scripting vulnerabilities in blog/index.php allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. CVE-2010-2230 The KSES text cleaning filter in lib/weblib.php does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting attacks via HTML input. CVE-2010-2231 A Cross-site request forgery vulnerability in report/overview/report.php in the quiz module allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter. This security update switches to a new upstream version and requires database updates. For the stable distribution, these problems have been fixed in version 1.8.13-2. For the unstable distribution, these problems have been fixed in version 1.9.9.dfsg2-1. We recommend that you upgrade your moodle package.
Family:	unix	Class:	patch
Reference(s):	DSA-2115-2 CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-2010-1618 CVE-2010-1619 CVE-2010-2228 CVE-2010-2229 CVE-2010-2230 CVE-2010-2231	Version:	5
Platform(s):	Debian GNU/Linux 5.0	Product(s):	moodle
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND moodle DPKG is earlier than 1.8.13-2

Definition Id: oval:org.mitre.oval:def:12759

Oval ID:	oval:org.mitre.oval:def:12759
Title:	DSA-2115-1 moodle -- several
Description:	Several remote vulnerabilities have been discovered in Moodle, a course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1613 Moodle does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks. CVE-2010-1614 Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors related to the Login-As feature or when the global search feature is enabled, unspecified global search forms in the Global Search Engine. CVE-2010-1615 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands via vectors related to the add_to_log function in mod/wiki/view.php in the wiki module, or "data validation in some forms elements" related to lib/form/selectgroups.php. CVE-2010-1616 Moodle can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability. CVE-2010-1617 user/view.php does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page. CVE-2010-1618 A Cross-site scripting vulnerability in the phpCAS client library allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message. CVE-2010-1619 A Cross-site scripting vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities. CVE-2010-2228 A Cross-site scripting vulnerability in the MNET access-control interface allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username. CVE-2010-2229 Multiple cross-site scripting vulnerabilities in blog/index.php allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. CVE-2010-2230 The KSES text cleaning filter in lib/weblib.php does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting attacks via HTML input. CVE-2010-2231 A Cross-site request forgery vulnerability in report/overview/report.php in the quiz module allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter. This security update switches to a new upstream version and requires database updates. For the stable distribution, these problems have been fixed in version 1.8.13-1. For the unstable distribution, these problems have been fixed in version 1.9.9.dfsg2-1. We recommend that you upgrade your moodle package.
Family:	unix	Class:	patch
Reference(s):	DSA-2115-1 CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-2010-1618 CVE-2010-1619 CVE-2010-2228 CVE-2010-2229 CVE-2010-2230 CVE-2010-2231	Version:	5
Platform(s):	Debian GNU/Linux 5.0	Product(s):	moodle
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND moodle DPKG is earlier than 1.8.13-1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Ja-Sig Phpcas Client Library cpe:2.3:a:ja-sig:phpcas_client_library:1.0.1:::::::* cpe:2.3:a:ja-sig:phpcas_client_library:1.0.0:::::::*	2
Application	Moodle cpe:2.3:a:moodle:moodle:1.9.8:::::::* cpe:2.3:a:moodle:moodle:1.9.7:::::::* cpe:2.3:a:moodle:moodle:1.9.6:::::::* cpe:2.3:a:moodle:moodle:1.9.5:::::::* cpe:2.3:a:moodle:moodle:1.9.4:::::::* cpe:2.3:a:moodle:moodle:1.9.3:::::::* cpe:2.3:a:moodle:moodle:1.9.2:::::::* cpe:2.3:a:moodle:moodle:1.9.1:::::::* cpe:2.3:a:moodle:moodle:1.8.9:::::::* cpe:2.3:a:moodle:moodle:1.8.8:::::::* cpe:2.3:a:moodle:moodle:1.8.7:::::::* cpe:2.3:a:moodle:moodle:1.8.6:::::::* cpe:2.3:a:moodle:moodle:1.8.5:::::::* cpe:2.3:a:moodle:moodle:1.8.4:::::::* cpe:2.3:a:moodle:moodle:1.8.3:::::::* cpe:2.3:a:moodle:moodle:1.8.2:::::::* cpe:2.3:a:moodle:moodle:1.8.12:::::::* cpe:2.3:a:moodle:moodle:1.8.11:::::::* cpe:2.3:a:moodle:moodle:1.8.10:::::::* cpe:2.3:a:moodle:moodle:1.8.1:::::::* cpe:2.3:a:moodle:moodle:1.8.0:::::::* cpe:2.3:a:moodle:moodle:1.7.6:::::::* cpe:2.3:a:moodle:moodle:1.7.5:::::::* cpe:2.3:a:moodle:moodle:1.7.4:::::::* cpe:2.3:a:moodle:moodle:1.7.3:::::::* cpe:2.3:a:moodle:moodle:1.7.2:::::::* cpe:2.3:a:moodle:moodle:1.7.1:::::::* cpe:2.3:a:moodle:moodle:1.7.0:::::::* cpe:2.3:a:moodle:moodle:1.6.8:::::::* cpe:2.3:a:moodle:moodle:1.6.7:::::::* cpe:2.3:a:moodle:moodle:1.6.6:::::::* cpe:2.3:a:moodle:moodle:1.6.5:::::::* cpe:2.3:a:moodle:moodle:1.6.4:::::::* cpe:2.3:a:moodle:moodle:1.6.3:::::::* cpe:2.3:a:moodle:moodle:1.6.2:::::::* cpe:2.3:a:moodle:moodle:1.6.1:::::::* cpe:2.3:a:moodle:moodle:1.6.0:::::::* cpe:2.3:a:moodle:moodle:1.5.3:::::::* cpe:2.3:a:moodle:moodle:1.5.2:::::::* cpe:2.3:a:moodle:moodle:1.5.1:::::::* cpe:2.3:a:moodle:moodle:1.5.0:beta:::::: cpe:2.3:a:moodle:moodle:1.5.0:-:::::: cpe:2.3:a:moodle:moodle:1.5_beta:::::::* cpe:2.3:a:moodle:moodle:1.4.5:::::::* cpe:2.3:a:moodle:moodle:1.4.4:::::::* cpe:2.3:a:moodle:moodle:1.4.3:::::::* cpe:2.3:a:moodle:moodle:1.4.2:::::::* cpe:2.3:a:moodle:moodle:1.4.1:::::::* cpe:2.3:a:moodle:moodle:1.3.4:::::::* cpe:2.3:a:moodle:moodle:1.3.3:::::::* cpe:2.3:a:moodle:moodle:1.3.2:::::::* cpe:2.3:a:moodle:moodle:1.3.1:::::::* cpe:2.3:a:moodle:moodle:1.3.0:::::::* cpe:2.3:a:moodle:moodle:1.2.1:::::::* cpe:2.3:a:moodle:moodle:1.2.0:::::::* cpe:2.3:a:moodle:moodle:1.1.1:::::::* cpe:2.3:a:moodle:moodle::::::::	57

OpenVAS Exploits

Date	Description
2010-07-12	Name : Moodle Cross Site Scripting and Cross Site Request Forgery Vulnerabilities File : nvt/gb_moodle_xss_n_csrf_vuln.nasl
2010-06-25	Name : Fedora Update for moodle FEDORA-2010-10286 File : nvt/gb_fedora_2010_10286_moodle_fc12.nasl
2010-06-25	Name : Fedora Update for moodle FEDORA-2010-10291 File : nvt/gb_fedora_2010_10291_moodle_fc13.nasl
2010-06-25	Name : Fedora Update for moodle FEDORA-2010-10321 File : nvt/gb_fedora_2010_10321_moodle_fc11.nasl
2010-06-21	Name : Moodle Multiple Vulnerabilities File : nvt/gb_moodle_40944.nasl
2010-05-19	Name : Moodle Multiple Vulnerabilities File : nvt/gb_moodle_mult_vuln.nasl
2010-05-19	Name : Moodle Session Fixation Vulnerability File : nvt/gb_moodle_session_fixation_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
65637	Moodle report/overview/report.php attemptid Parameter Quiz Report Deletion CSRF
65636	Moodle lib/weblib.php Unspecified Parameter XSS
65635	Moodle blog/index.php Unspecified Parameter XSS
65634	Moodle MNET Access Control Interface XSS
64324	Moodle weblib.php fix_non_standard_entities Function XSS
64323	Moodle user/view.php Course Profile Page Username Disclosure
64318	Moodle moodle/user:create Permission Weakness Course Restoration New Account ...
64317	Moodle lib/form/selectgroups.php Form Element SQL Injection
64316	Moodle Wiki Module mod/wiki/view.php add_to_log Function SQL Injection
64314	Moodle Global Search Engine Unspecified Search Form XSS
64313	Moodle Login-As Feature XSS
64312	Moodle Session ID Regeneration Setting Weakness Session Fixation
63123	phpCAS Unspecified XSS Jasig phpCAS 1.0.0, 1.0.1, and 1.1.0 contain a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate a URL containing a bogus ticket upon submission, prior to displaying it within the error page. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Nessus® Vulnerability Scanner

Date	Description
2010-10-06	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2115.nasl - Type : ACT_GATHER_INFO
2010-07-13	Name : The remote openSUSE host is missing a security update. File : suse_11_0_moodle-100709.nasl - Type : ACT_GATHER_INFO
2010-07-13	Name : The remote openSUSE host is missing a security update. File : suse_11_1_moodle-100709.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-10286.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-10291.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-10321.nasl - Type : ACT_GATHER_INFO
2010-05-05	Name : The remote openSUSE host is missing a security update. File : suse_11_0_moodle-100503.nasl - Type : ACT_GATHER_INFO
2010-05-05	Name : The remote openSUSE host is missing a security update. File : suse_11_1_moodle-100503.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:29:42	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	10
Oval ID(s)	2
CPE ID(s)	59
osvdb(s)	13
Openvas Exploit(s)	7
Nessus® Exploit(s)	8

	Related
7.5	CVE-2010-1615
6.8	CVE-2010-2231
6.8	CVE-2010-1613
4.3	CVE-2010-2229
4.3	CVE-2010-2228
4.3	CVE-2010-1619
4.3	CVE-2010-1618
4.3	CVE-2010-1614
4	CVE-2010-2230
4	CVE-2010-1617
4	CVE-2010-1616
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 11 more Alert(s)