4.3 - CVE-2009-1171

Executive Summary

Informations
Name	CVE-2009-1171	First vendor Publication	2009-03-30
Vendor	Cve	Last vendor Modification	2020-12-01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1171

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13316

Oval ID:	oval:org.mitre.oval:def:13316
Title:	USN-791-2 -- moodle vulnerability
Description:	Christian Eibl discovered that the TeX filter in Moodle allowed any function to be used. An authenticated remote attacker could post a specially crafted TeX formula to execute arbitrary TeX functions, potentially reading any file accessible to the web server user, leading to a loss of privacy
Family:	unix	Class:	patch
Reference(s):	USN-791-2 CVE-2009-1171	Version:	5
Platform(s):	Ubuntu 9.04	Product(s):	moodle
Definition Synopsis:
Ubuntu 9.04 is installed AND Installed architecture is all AND moodle DPKG is earlier than 1.9.4.dfsg-0ubuntu1.1

Definition Id: oval:org.mitre.oval:def:13687

Oval ID:	oval:org.mitre.oval:def:13687
Title:	USN-791-1 -- moodle vulnerabilities
Description:	Thor Larholm discovered that PHPMailer, as used by Moodle, did not correctly escape email addresses. A local attacker with direct access to the Moodle database could exploit this to execute arbitrary commands as the web server user. Nigel McNie discovered that fetching https URLs did not correctly escape shell meta-characters. An authenticated remote attacker could execute arbitrary commands as the web server user, if curl was installed and configured. It was discovered that Smarty, did not correctly filter certain inputs. An authenticated remote attacker could exploit this to execute arbitrary PHP commands as the web server user. It was discovered that the unused SpellChecker extension in Moodle did not correctly handle temporary files. If the tool had been locally modified, it could be made to overwrite arbitrary local files via symlinks. Mike Churchward discovered that Moodle did not correctly filter Wiki page titles in certain areas. An authenticated remote attacker could exploit this to cause cross-site scripting, which could be used to modify or steal confidential data of other users within the same web domain. It was discovered that the HTML sanitizer, "Login as" feature, and logging in Moodle did not correctly handle certain inputs. An authenticated remote attacker could exploit this to generate XSS, which could be used to modify or steal confidential data of other users within the same web domain. It was discovered that the HotPot module in Moodle did not correctly filter SQL inputs. An authenticated remote attacker could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service. Kevin Madura discovered that the forum actions and messaging settings in Moodle were not protected from cross-site request forgery. If an authenticated user were tricked into visiting a malicious website while logged into Moodle, a remote attacker could change the user�s configurations or forum content. Daniel Cabezas discovered that Moodle would leak usernames from the Calendar Export tool. A remote attacker could gather a list of users, leading to a loss of privacy. Christian Eibl discovered that the TeX filter in Moodle allowed any function to be used. An authenticated remote attacker could post a specially crafted TeX formula to execute arbitrary TeX functions, potentially reading any file accessible to the web server user, leading to a loss of privacy. Johannes Kuhn discovered that Moodle did not correctly validate user permissions when attempting to switch user accounts. An authenticated remote attacker could switch to any other Moodle user, leading to a loss of privacy. Hanno Boeck discovered that unconfigured Moodle instances contained XSS vulnerabilities. An unauthenticated remote attacker could exploit this to modify or steal confidential data of other users within the same web domain. Debbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra Montesinos discovered that when users were deleted from Moodle, their profiles and avatars were still visible. An authenticated remote attacker could exploit this to store information in profiles even after they were removed, leading to spam traffic. Lars Vogdt discovered that Moodle did not correctly filter certain inputs. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. It was discovered that Moodle did not correctly filter inputs for group creation, mnet, essay question, HOST param, wiki param, and others. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. It was discovered that Moodle did not correctly filter SQL inputs when performing a restore. An attacker authenticated as a Moodle administrator could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service
Family:	unix	Class:	patch
Reference(s):	USN-791-1 CVE-2007-3215 CVE-2008-4796 CVE-2008-4810 CVE-2008-4811 CVE-2009-1669 CVE-2008-5153 CVE-2008-5432 CVE-2008-5619 CVE-2009-0500 CVE-2009-0502 CVE-2008-6124 CVE-2009-0499 CVE-2009-0501 CVE-2009-1171	Version:	5
Platform(s):	Ubuntu 8.10 Ubuntu 8.04	Product(s):	moodle
Definition Synopsis:
Release section Ubuntu 8.10 is installed AND Installed architecture is all AND moodle DPKG is earlier than 1.8.2-1.2ubuntu2.1 OR Release section Ubuntu 8.04 is installed AND Installed architecture is all AND moodle DPKG is earlier than 1.8.2-1ubuntu4.2

Definition Id: oval:org.mitre.oval:def:13700

Oval ID:	oval:org.mitre.oval:def:13700
Title:	DSA-1761-1 moodle -- missing input sanitisation
Description:	Christian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn’t check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. Note that this doesn’t affect installations that only use the mimetex environment. For the oldstable distribution, this problem has been fixed in version 1.6.3-2+etch3. For the stable distribution, this problem has been fixed in version 1.8.2.dfsg-3+lenny2. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1.8.2.dfsg-5. We recommend that you upgrade your moodle packages.
Family:	unix	Class:	patch
Reference(s):	DSA-1761-1 CVE-2009-1171	Version:	5
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	moodle
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND moodle DPKG is earlier than 1.8.2.dfsg-3+lenny2 OR Release section Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND moodle DPKG is earlier than 1.6.3-2+etch3

Definition Id: oval:org.mitre.oval:def:7916

Oval ID:	oval:org.mitre.oval:def:7916
Title:	DSA-1761 moodle -- missing input sanitisation
Description:	Christian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn't check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. Note that this doesn't affect installations that only use the mimetex environment.
Family:	unix	Class:	patch
Reference(s):	DSA-1761 CVE-2009-1171	Version:	3
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	moodle
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND moodle is earlier than 1.8.2.dfsg-3+lenny2 OR Release section Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND moodle is earlier than 1.6.3-2+etch3

CPE : Common Platform Enumeration

Type	Description	Count
Application	Moodle cpe:2.3:a:moodle:moodle:1.9.4:::::::* cpe:2.3:a:moodle:moodle:1.9.3:::::::* cpe:2.3:a:moodle:moodle:1.9.2:::::::* cpe:2.3:a:moodle:moodle:1.9.1:::::::* cpe:2.3:a:moodle:moodle:1.8.8:::::::* cpe:2.3:a:moodle:moodle:1.8.7:::::::* cpe:2.3:a:moodle:moodle:1.8.6:::::::* cpe:2.3:a:moodle:moodle:1.8.5:::::::* cpe:2.3:a:moodle:moodle:1.8.4:::::::* cpe:2.3:a:moodle:moodle:1.8.3:::::::* cpe:2.3:a:moodle:moodle:1.8.2:::::::* cpe:2.3:a:moodle:moodle:1.8.1:::::::* cpe:2.3:a:moodle:moodle:1.7.6:::::::* cpe:2.3:a:moodle:moodle:1.7.5:::::::* cpe:2.3:a:moodle:moodle:1.7.4:::::::* cpe:2.3:a:moodle:moodle:1.7.3:::::::* cpe:2.3:a:moodle:moodle:1.7.2:::::::* cpe:2.3:a:moodle:moodle:1.7.1:::::::* cpe:2.3:a:moodle:moodle:1.6.8:::::::* cpe:2.3:a:moodle:moodle:1.6.7:::::::* cpe:2.3:a:moodle:moodle:1.6.6:::::::* cpe:2.3:a:moodle:moodle:1.6.5:::::::* cpe:2.3:a:moodle:moodle:1.6.4:::::::* cpe:2.3:a:moodle:moodle:1.6.3:::::::* cpe:2.3:a:moodle:moodle:1.6.2:::::::* cpe:2.3:a:moodle:moodle:1.6.1:::::::* cpe:2.3:a:moodle:moodle:1.6.0:::::::*	27

OpenVAS Exploits

Date	Description
2009-12-14	Name : Fedora Core 10 FEDORA-2009-13040 (moodle) File : nvt/fcore_2009_13040.nasl
2009-06-30	Name : Ubuntu USN-791-1 (moodle) File : nvt/ubuntu_791_1.nasl
2009-06-30	Name : Ubuntu USN-791-2 (moodle) File : nvt/ubuntu_791_2.nasl
2009-04-28	Name : SuSE Security Summary SUSE-SR:2009:009 File : nvt/suse_sr_2009_009.nasl
2009-04-06	Name : Debian Security Advisory DSA 1761-1 (moodle) File : nvt/deb_1761_1.nasl
2009-04-06	Name : Fedora Core 10 FEDORA-2009-3280 (moodle) File : nvt/fcore_2009_3280.nasl
2009-04-06	Name : Fedora Core 9 FEDORA-2009-3283 (moodle) File : nvt/fcore_2009_3283.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
52998	Moodle TeX Notation Filter Arbitrary File Access

Nessus® Vulnerability Scanner

Date	Description
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_0_moodle-090417.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_1_moodle-090417.nasl - Type : ACT_GATHER_INFO
2009-06-25	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-791-1.nasl - Type : ACT_GATHER_INFO
2009-06-25	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-791-2.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Fedora host is missing a security update. File : fedora_2009-3280.nasl - Type : ACT_GATHER_INFO
2009-04-21	Name : The remote openSUSE host is missing a security update. File : suse_moodle-6198.nasl - Type : ACT_GATHER_INFO
2009-04-06	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1761.nasl - Type : ACT_GATHER_INFO
2009-04-03	Name : The remote Fedora host is missing a security update. File : fedora_2009-3283.nasl - Type : ACT_GATHER_INFO
2009-03-30	Name : The remote web server contains a PHP application that is affected by an infor... File : moodle_latex_info_disclosure.nasl - Type : ACT_ATTACK

Sources (Detail)

Source	Url
BID	http://www.securityfocus.com/bid/34278
BUGTRAQ	http://www.securityfocus.com/archive/1/502231/100/0/threaded
CONFIRM	http://cvs.moodle.org/moodle/filter/tex/filter.php?r1=1.18.4.4&r2=1.18.4.5
DEBIAN	http://www.debian.org/security/2009/dsa-1761
EXPLOIT-DB	https://www.exploit-db.com/exploits/8297
FEDORA	https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00077.html https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00079.html
MISC	http://tracker.moodle.org/browse/MDL-18552
SECUNIA	http://secunia.com/advisories/34517 http://secunia.com/advisories/34557 http://secunia.com/advisories/34600 http://secunia.com/advisories/35570
SUSE	http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
UBUNTU	https://usn.ubuntu.com/791-2/

Alert History

If you want to see full details history, please login or register.

Date	Informations
2021-05-04 12:09:22	Multiple Updates
2021-04-22 01:09:42	Multiple Updates
2020-12-01 17:22:46	Multiple Updates
2020-05-23 00:23:34	Multiple Updates
2018-10-11 00:19:34	Multiple Updates
2018-10-04 00:19:35	Multiple Updates
2017-09-29 09:24:09	Multiple Updates
2016-04-26 18:44:16	Multiple Updates
2014-02-17 10:49:32	Multiple Updates
2013-05-10 23:47:54	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	4
CPE ID(s)	27
Sources(s)	14
osvdb(s)	1
Openvas Exploit(s)	7
Nessus® Exploit(s)	9

	Related
10	USN-791-1
4.3	USN-791-2
4.3	DSA-1761
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)

4.3 - CVE-2009-1171

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU