Bug 17280

Summary: moodle new security issues fixed in 2.8.9
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/666962/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: moodle-2.8.8-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-03 14:32:54 CET 
Upstream has released new versions on November 9:
https://moodle.org/mod/forum/discuss.php?d=322852
https://docs.moodle.org/dev/Moodle_2.8.9_release_notes

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.8.9, if guest access is open on the site, unauthenticated
users can store Atto draft data through the editor autosave area, which could
be exploited in a denial of service attack (CVE-2015-5332).

In Moodle before 2.8.9, due to a CSRF issue in the site registration form, it
is possible to trick a site admin into sending aggregate stats to an arbitrary
domain.  The attacker can send the admin a link to a site registration form
that will display the correct URL but, if submitted, will register with
another hub (CVE-2015-5335).

In Moodle before 2.8.9, the standard survey module is vulnerable to XSS attack
by students who fill the survey (CVE-2015-5336).

In Moodle before 2.8.9, there was a reflected XSS vulnerability in the
Flowplayer flash video player (CVE-2015-5337).

In Moodle before 2.8.9, password-protected lesson modules are subject to a
CSRF vulnerability in the lesson login form (CVE-2015-5338).

In Moodle before 2.8.9, through web service core_enrol_get_enrolled_users it
is possible to retrieve list of course participants who would not be visible
when using web site (CVE-2015-5339).

In Moodle before 2.8.9, logged in users who do not have capability 'View
available badges without earning them' can still access the full list of
badges (CVE-2015-5340).

In Moodle before 2.8.9, the SCORM module allows to bypass access restrictions
based on date and lets users view the SCORM contents (CVE-2015-5341).

In Moodle before 2.8.9, the choice module closing date can be bypassed,
allowing users to delete or submit new responses after the choice module was
closed (CVE-2015-5342).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5337
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5338
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5340
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5341
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5342
https://moodle.org/mod/forum/discuss.php?d=323229
https://moodle.org/mod/forum/discuss.php?d=323230
https://moodle.org/mod/forum/discuss.php?d=323231
https://moodle.org/mod/forum/discuss.php?d=323232
https://moodle.org/mod/forum/discuss.php?d=323233
https://moodle.org/mod/forum/discuss.php?d=323234
https://moodle.org/mod/forum/discuss.php?d=323235
https://moodle.org/mod/forum/discuss.php?d=323236
https://moodle.org/mod/forum/discuss.php?d=323237
https://docs.moodle.org/dev/Moodle_2.8.9_release_notes
https://moodle.org/mod/forum/discuss.php?d=322852
========================

Updated packages in core/updates_testing:
========================
moodle-2.8.9-1.mga5

from moodle-2.8.9-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-03 14:33:09 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-12-03 16:49:19 CET 
Working fine on our production Moodle server at work, Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 3 William Kenney 2015-12-03 18:19:19 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
moodle

default install of moodle

[root@localhost wilcal]# urpmi moodle
Package moodle-2.8.8-1.mga5.noarch is already installed

To get this up and running simplest way:

urpmi mariadb
systemctl enable mysqld.service
systemctl start mysqld.service
mysql -u root
mysql> create database moodle;
mysql> create user 'moodle'@'localhost' identified by '<test>';
mysql> grant all on moodle.* to 'moodle'@'localhost';
mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> exit;

Then in an su - terminal
kwrite /var/www/moodle/config.php
and in the empty single quotes for dbuser and dbpass, put 'moodle' for
dbuser ( line 11 ), and the password 'test' ( line 12 ) used to create
user mysql command in for dbpass.

All went as expected.

stop then restart mysqld

Then browse to http://localhost/moodle to complete the setup.
"Unable to connect" on Firefox browser.
http://localhost/~wilcal/ works fine on the same browser.

I still get this. Hints?

CC: (none) => wilcal.int

Comment 4 David Walser 2015-12-03 19:07:36 CET 
I think that means unable to connect to the database.  If your commands were exactly what you typed, when you created the user in mysql, it should have been "identified by 'test';" without the <>.  (Or perhaps you could put the password as <test> in config.php, that might work too).
Dave Hodgins 2015-12-05 03:30:58 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2015-12-05 11:05:08 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0464.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-12-07 17:06:02 CET

URL: (none) => http://lwn.net/Vulnerabilities/666962/