Well I do realize that the Moodle packaging team it's aware of this bugreport
anyway I attempted to fix some of the more serious problems that I think could
impact my system, so as normally a good friend of mine says, check with
upstream, well in this case not with upstream but with the package I use,
Moodle on Debian, so I checked the release notes on 1.8.11 [1] build a chroot
of Lenny on my Unstable installation via debootstrap and go and after an
apt-get source moodle I searched for the things I believe can fix without
breaking the package and the Debian Way of work, I searched for the security
fixes, first problem as the release notes [1] and the tracker [2] don.t show
the code (at least not to me) so ended searching on the git [3] for the commits
and applied to the code, yes it's an unified diff, I'm not really sure if it's
totally correct as I need to learn too much but, it's my best try, maybe it
could help the Moodle packaging team or anyone to patch at least
CVE-2009-4303[4].
This is a try of changelog of what I did.
Bug MDL-20932 FIXED Get rid of user->secret in backup
files (and ignore it on restore) Major Resolved
Found on:
http://git.moodle.org/gw?p=moodle.git;a=patch;h=306e851f93d67c6919f11d7c8910af301c57bbbf
Fixes:
CVE-2009-4303[4]:
Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password hashes and
(2) unspecified "secrets" in backup files, which might allow attackers to
obtain sensitive information.
Improvement MDL-20941 FIXED Store hashed username into user->email
field for deleted users Major Resolved
(Not touched as is a new feature and on the tracker had a lot of discussion on
what is the proper way to handle this)
Bug MDL-13952 FIXED "enrol_ldap_autocreate" create courses, even if
"enrol_ldap_autocreate" is set to "no" Minor Resolved
Found on:
http://git.moodle.org/gw?p=moodle.git;a=commit;h=29bd2be123a23a6ae699af8bbd58c0551f9edb07
Bug MDL-20288 FIXED $url cannot be null for Oracle in datalib.php
add_to_log Minor Resolved
Found on:
http://git.moodle.org/gw?p=moodle.git;a=commit;h=d217bcf1a8c5417db18ae07172d0a4dba5b1f6f3
Sub-task MDL-20916 FIXED MDL-19303
Apply sesskey() mechanism to all the actions in the XMLDB Editor Minor
Resolved
Found on:
http://git.moodle.org/gw?p=moodle.git;a=commit;h=5aa2b2e9430e8ecdc6e4fcb8694d9b8d8440d033
(not fixed as it modifies 36 files, too complex for me)
Bug MDL-18989 FIXED Improper Course Creation in LDAP sync Minor
Resolved
(Fixed by MDL13952 above)
Bug MDL-20638 FIXED Smarty vulnerabilities may affect QTI2 export
Minor Resolved
(Too much modified files 69! Way too complex for me, also in the notes is asked
to no use smarty and announces that it will be deprecated for version 2)
Bug MDL-20890 FIXED Upgrading Moodle database (1.9.6+) results in 8
identical
notices Minor Resolved
(Can.t fin on the git commit.s)
Bug MDL-20927 FIXED incorrect require_login check Minor Resolved
Found on:
http://git.moodle.org/gw?p=moodle.git;a=commit;h=afc9bd4ea34ddf281d0442012d245c8245ce3136
(Way too much different from the one on 1.8.2 I suspect that will break if I
only add what changes on 1.8.11, so not touched)
SCORM MDL-20955 fix bad use of update_record - thanks Petr
Found on:
http://git.moodle.org/gw?p=moodle.git;a=commit;h=ad97538d8aa71cbb66108a8cc086b0a8d831b25e
Fixes:
CVE-2009-4305[0]:
SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1.8.11 and
1.9 before 1.9.7 allows remote authenticated users to| execute arbitrary SQL
commands via vectors related to an "escaping issue when processing AICC CRS
file (Course_Title)."
(I.m can.t really test this one, but as far as I think it didn.t break things)
Regards
[1] http://docs.moodle.org/en/Moodle_1.8.11_release_notes
[2] http://tracker.moodle.org/browse/MDL/fixforversion/10383
[3]
http://git.moodle.org/gw?p=moodle.git;a=shortlog;h=refs/heads/MOODLE_18_STABLE
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4303
http://security-tracker.debian.org/tracker/CVE-2009-4303
Index: moodle.svn/enrol/ldap/enrol.php
===================================================================
--- moodle.svn/enrol/ldap/enrol.php (revision 3)
+++ moodle.svn/enrol/ldap/enrol.php (revision 4)
@@ -222,6 +222,11 @@
$this->enrol_localcoursefield,
$idnumber );
if (!is_object($course_obj)) {
+ if (empty($CFG->enrol_ldap_autocreate)) { // autocreation not allowed
+ print "[ENROL_LDAP] Course $idnumber does not exist, skipping\n";
+ continue; // next foreach course
+ }
+
// ok, now then let's create it!
print "Creating Course $idnumber...";
$newcourseid = $this->create_course($course, true); // we are skipping fix_course_sortorder()
Index: moodle.svn/lib/datalib.php
===================================================================
--- moodle.svn/lib/datalib.php (revision 3)
+++ moodle.svn/lib/datalib.php (revision 4)
@@ -1541,12 +1541,10 @@
if (defined('MDL_PERFDB')) { global $PERF ; $PERF->dbqueries++; $PERF->logwrites++;};
- if ($CFG->type = 'oci8po') {
- if (empty($info)) {
- $info = ' ';
- }
- }
+ $info = empty($info) ? sql_empty() : $info; // Use proper empties for each database
+ $url = empty($url) ? sql_empty() : $url;
+
$result = $db->Execute('INSERT INTO '. $CFG->prefix .'log (time, userid, course, ip, module, cmid, action, url, info)
VALUES (' . "'$timenow', '$userid', '$courseid', '$REMOTE_ADDR', '$module', '$cm', '$action', '$url', '$info')");
Index: moodle.svn/mod/scorm/datamodels/aicclib.php
===================================================================
--- moodle.svn/mod/scorm/datamodels/aicclib.php (revision 3)
+++ moodle.svn/mod/scorm/datamodels/aicclib.php (revision 4)
@@ -252,7 +252,9 @@
$sco->next = 0;
if ($oldscoid = scorm_array_search('identifier',$sco->identifier,$oldscoes)) {
$sco->id = $oldscoid;
- $id = update_record('scorm_scoes',$sco);
+ if ($DB->update_record('scorm_scoes',$sco)) {
+ $id = $oldscoid;
+ }
unset($oldscoes[$oldscoid]);
} else {
$id = insert_record('scorm_scoes',$sco);
Index: moodle.svn/mod/lesson/lesson.php
===================================================================
--- moodle.svn/mod/lesson/lesson.php (revision 3)
+++ moodle.svn/mod/lesson/lesson.php (revision 4)
@@ -29,7 +29,7 @@
list($cm, $course, $lesson) = lesson_get_basics($id);
- require_login($course->id);
+ require_login($course, false, $cm);
$context = get_context_instance(CONTEXT_MODULE, $cm->id);
/// Set up some general variables
Index: moodle.svn/backup/backuplib.php
===================================================================
--- moodle.svn/backup/backuplib.php (revision 3)
+++ moodle.svn/backup/backuplib.php (revision 4)
@@ -1126,7 +1126,6 @@
fwrite ($bf,full_tag("LASTLOGIN",4,false,$user->lastlogin));
fwrite ($bf,full_tag("CURRENTLOGIN",4,false,$user->currentlogin));
fwrite ($bf,full_tag("LASTIP",4,false,$user->lastip));
- fwrite ($bf,full_tag("SECRET",4,false,$user->secret));
fwrite ($bf,full_tag("PICTURE",4,false,$user->picture));
fwrite ($bf,full_tag("URL",4,false,$user->url));
fwrite ($bf,full_tag("DESCRIPTION",4,false,$user->description));
Index: moodle.svn/backup/restorelib.php
===================================================================
--- moodle.svn/backup/restorelib.php (revision 3)
+++ moodle.svn/backup/restorelib.php (revision 4)
@@ -4670,9 +4670,6 @@
case "LASTIP":
$this->info->tempuser->lastip = $this->getContents();
break;
- case "SECRET":
- $this->info->tempuser->secret = $this->getContents();
- break;
case "PICTURE":
$this->info->tempuser->picture = $this->getContents();
break;
