Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password hashes and (2) unspecified "secrets" in backup files, which might allow attackers to obtain sensitive information.

Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-4297     Multiple cross-site request forgery (CSRF)     vulnerabilities have been discovered.

  - CVE-2009-4298     It has been discovered that the LAMS module is prone to     the disclosure of user account information.

  - CVE-2009-4299     The Glossary module has an insufficient access control     mechanism.

  - CVE-2009-4301     Moodle does not properly check permissions when the MNET     service is enabled, which allows remote authenticated     servers to execute arbitrary MNET functions.

  - CVE-2009-4302     The login/index_form.html page links to an HTTP page     instead of using an SSL secured connection.

  - CVE-2009-4303     Moodle stores sensitive data in backup files, which     might make it possible for attackers to obtain them.

  - CVE-2009-4305     It has been discovered that the SCORM module is prone to     a SQL injection.

Additionally, a SQL injection in the update_record function, a problem with symbolic links and a verification problem with Glossary, database and forum ratings have been fixed.

This patch updates Moodle to the latest stable upstream version (1.9.7) fixing multiple security issues: CVE-2009-4297, CVE-2009-4298, CVE-2009-4299, CVE-2009-4300, CVE-2009-4301, CVE-2009-4302, CVE-2009-4303, CVE-2009-4304, CVE-2009-4305, MSA-09-0030 (New detection of insecure Flash player plugins)

The new version also has a completely new , more secure password handling. Beside other features, Admins will be asked to change their passwords next time they log in after upgrading.

Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing multiple security issues. The list for 1.9.7 release:
-------------------------- Security issues * MSA-09-0022 - Multiple CSRF problems fixed * MSA-09-0023 - Fixed user account disclosure in LAMS module * MSA-09-0024 - Fixed insufficient access control in Glossary module

  - MSA-09-0025 - Unneeded MD5 hashes removed from user     table * MSA-09-0026 - Fixed invalid application access     control in MNET interface * MSA-09-0027 - Ensured login     information is always sent secured when using SSL for     logins * MSA-09-0028 - Passwords and secrets are no     longer ever saved in backups, new backup capabilities     moodle/backup:userinfo and moodle/restore:userinfo for     controlling who can backup/restore user data, new checks     in the security overview report help admins identify     dangerous backup permissions * MSA-09-0029 - A strong     password policy is now enabled by default, enabling     password salt in encouraged in config.php, admins are     forced to change password after the upgrade and admins     can force password change on other users via Bulk user     actions * MSA-09-0030 - New detection of insecure Flash     player plugins, Moodle won't serve Flash to insecure     plugins * MSA-09-0031 - Fixed SQL injection in SCORM     module The list for 1.8.11 release:
    ---------------------------- Security issues *     MSA-09-0022 - Multiple CSRF problems fixed * MSA-09-0023
    - Fixed user account disclosure in LAMS module *     MSA-09-0024 - Fixed insufficient access control in     Glossary module * MSA-09-0025 - Unneeded MD5 hashes     removed from user table * MSA-09-0026 - Fixed invalid     application access control in MNET interface *     MSA-09-0027 - Ensured login information is always sent     secured when using SSL for logins * MSA-09-0028 -     Passwords and secrets are no longer ever saved in     backups, new backup capabilities moodle/backup:userinfo     and moodle/restore:userinfo for controlling who can     backup/restore user data * MSA-09-0029 - Enabling a     password salt in encouraged in config.php and admins are     forced to change password after the upgrade *     MSA-09-0031 - Fixed SQL injection in SCORM module     References: -----------     http://docs.moodle.org/en/Moodle_1.9.7_release_notes     http://docs.moodle.org/en/Moodle_1.8.11_release_notes     CVE Request: ------------     http://www.openwall.com/lists/oss-security/2009/12/06/1

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Moodle installed on the remote host is potentially vulnerable to multiple flaws.

  - Multiple cross-site request forger issues. (MSA-09-0022)

  - User account disclosure in LAMS module. (MSA-09-0023)

  - Insufficient access control may allow unauthorized users to view glossary entries. (MSA-09-0024)

  - Invalid application access control in MNET interface could allow execution of any MNET function from all registered remote servers. (MSA-09-0026)

  - Login information can be sent unsecured even when a site is configured to use SSL for logins. (MSA-09-0027)

  - A SQL injection issue in the SCORM module. (MSA-09-0031)

ID	Name	Product	Family	Severity
44850	Debian DSA-1986-1 : moodle - several vulnerabilities	Nessus	Debian Local Security Checks	medium
44613	openSUSE Security Update : moodle (moodle-1933)	Nessus	SuSE Local Security Checks	high
44608	openSUSE Security Update : moodle (moodle-1933)	Nessus	SuSE Local Security Checks	high
43123	Fedora 11 : moodle-1.9.7-1.fc11 (2009-13080)	Nessus	Fedora Local Security Checks	high
43121	Fedora 12 : moodle-1.9.7-1.fc12 (2009-13065)	Nessus	Fedora Local Security Checks	high
43119	Fedora 10 : moodle-1.9.7-1.fc10 (2009-13040)	Nessus	Fedora Local Security Checks	high
5257	Moodle < 1.8.11 / 1.9.x < 1.9.7 Multiple Vulnerabilities	Nessus Network Monitor	CGI	high

Detections

Analytics

CVE-2009-4303

high

Tenable Plugins

medium

high

high

high

high

high

high