Package: moodle Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for moodle.
CVE-2010-1619[0]: | Cross-site scripting (XSS) vulnerability in the | fix_non_standard_entities function in the KSES HTML text cleaning | library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x | before 1.9.8, allows remote attackers to inject arbitrary web script | or HTML via crafted HTML entities. The function patched in the official upstream patch is not included in our version of the source code, a ported (untested) version of the patch is attached. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1619 http://security-tracker.debian.org/tracker/CVE-2010-1619 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
--- weblib.php 2010-06-10 15:03:59.000000000 +0200 +++ weblib.php.new 2010-06-10 15:12:30.000000000 +0200 @@ -1676,8 +1676,8 @@ default: /// Fix non standard entity notations - $text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text); - $text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text); + $text = preg_replace('/�*([0-9]+);?/', "&#\\1;", $text); + $text = preg_replace('/�*([0-9a-fA-F]+);?/', "&#\\1;", $text); /// Remove tags that are not allowed $text = strip_tags($text, $ALLOWED_TAGS);
pgpDfMxGeQ7HV.pgp
Description: PGP signature