Moodle < 2.5 / 2.5.x < 2.5.9 / 2.6.x < 2.6.6 / 2.7.x < 2.7.3 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8721

Synopsis

The remote web server is hosting a web application that is vulnerable to multiple attack vectors.

Description

The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.5.x prior to 2.5.9, 2.6.x prior to 2.6.6, 2.7.x prior to 2.7.3, and all previous releases are exposed to the following vulnerabilities :

- A cross-site scripting (XSS) vulnerability affects the script 'lib/setup.php'. Specifically, without forcing encoding, it was possible that UTF7 characters could be used to force cross-site script to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages). (MSA-14-0035 / CVE-2014-9059)

- A cross-site scripting (XSS) vulnerability exists in the Feedback module. This occurs because the last search string was not escaped in the search input field. Specifically, this affects the '$searchcourse' parameter in the script 'mod/feedback/mapcourse.php'. (MSA-14-0036 / CVE-2014-7830)

- The temporary password generation function 'generate_password()' uses an unreasonably short list of possible words to create temporary passwords. (MSA-14-0037 / CVE-2014-7845)

- A security bypass flaw exists in 'mod/lti/launch.php' which performs access control at the course level rather than at the activity level. This could allow remote authenticated users to bypass the 'mod/lti:view' capability requirement by viewing an activity instance. (MSA-14-0039 / CVE-2014-7832)

- An information disclosure flaw affects 'mod/data/edit.php' because the script sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. (MSA-14-0040 / CVE-2014-7833)

- An access control flaw exists in 'tag/tag_autocomplete.php' because the script does not consider the 'moodle/tag:edit' capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. (MSA-14-0041 / CVE-2014-7846)

- A denial of service vulnerability exists in the Geo-Map script, 'iplookup/index.php'. Specifically, the script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties. (MSA-14-0042 / CVE-2014-7847)

- Multiple cross-site request forgery (CSRF) vulnerabilities affect the LTI module that allow remote attackers to hijack the authentication of arbitrary users to make a request. Specifically, these flaws exist in 'mod/lti/request_tool.php' and 'mod/lti/instructor_edit_tool_type.php'. (MSA-14-0046 / CVE-2014-7836)

- A security-bypass vulnerability exists within the script 'mod/wiki/admin.php' because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to delete pages in other Wiki pages by manipulating URLs. (MSA-14-0047 / CVE-2014-7837)

- A cross-site request forgery (CSRF) flaw affects the forum tracking toggle function because it lacks a session key check. Specifically, this affects the script 'mod/forum/settracking.php'. (MSA-14-0048 / CVE-2014-7838)

- A flaw exists that could allow a remote attacker to print arbitrary messages to a user session through modifying the URL query string. Specifically, this affects the script 'mod/lti/return.php' when loading the LTI module return page. (MSA-14-0049 / CVE-2014-9060)

Solution

Upgrade to Moodle version 2.8 or later. If your installation cannot be upgraded to 2.8.x, versions 2.5.9, 2.6.6, and 2.7.3 are also patched for these vulnerabilities.

See Also

http://moodle.org/security

http://www.nessus.org/u?e73e48cd

http://openwall.com/lists/oss-security/2014/11/17/11

Plugin Details

Severity: High

ID: 8721

Family: CGI

Published: 2015/04/20

Modified: 2018/09/16

Dependencies: 8690

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 7

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 2014/11/10

Vulnerability Publication Date: 2014/11/17

Reference Information

CVE: CVE-2014-7830, CVE-2014-7832, CVE-2014-7833, CVE-2014-7836, CVE-2014-7837, CVE-2014-7838, CVE-2014-7845, CVE-2014-7846, CVE-2014-7847, CVE-2014-9059, CVE-2014-9060

BID: 71119, 71120, 71121, 71122, 71124, 71125, 71128, 71130, 71132, 71133, 71134, 72672