Package: moodle Version: 1.8.2.dfsg-3+lenny3 Severity: grave Tags: security patch Justification: user security hole
MSA-10-0011: Topic: Cross Site Scripting vulnerability in blog/index.php Severity: Critical Versions affected: <1.8.13 and <1.9.9 Reported by: Emmanuel Bouillon Issue no.: MDL-22631 Solution: upgrade to 1.8.13 or 1.9.9 Workaround: apply patch or disable blogs http://git.moodle.org/gw?p=moodle.git;a=commit;h=1f283c9acdf7b6a5c08b2768d3bf89b1e162d421 http://cvs.moodle.org/moodle/blog/lib.php?r1=1.80.2.20&r2=1.80.2.21 Description: Some parameters were not being properly cleaned on the blog index page, allowing non-persistent cross-site scripting (XSS) attacks. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages moodle depends on: ii apache2-mpm-prefor 2.2.9-10+lenny7 Apache HTTP Server - traditional n ii debconf [debconf-2 1.5.24 Debian configuration management sy ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripti ii mimetex 1.50-1+lenny1 LaTeX math expressions to anti-ali ii mysql-client-5.0 [ 5.0.51a-24+lenny4 MySQL database client binaries ii php5-cli 5.2.6.dfsg.1-1+lenny8 command-line interpreter for the p ii php5-curl 5.2.6.dfsg.1-1+lenny8 CURL module for php5 ii php5-gd 5.2.6.dfsg.1-1+lenny8 GD module for php5 ii php5-mysql 5.2.6.dfsg.1-1+lenny8 MySQL module for php5 ii smarty 2.6.20-1.2 Template engine for PHP ii ucf 3.0016 Update Configuration File: preserv ii wwwconfig-common 0.1.2 Debian web auto configuration ii yui 2.5.0-1 Yahoo User Interface Library ii zip 2.32-1 Archiver for .zip files Versions of packages moodle recommends: ii mysql-server-5.0 [ 5.0.51a-24+lenny4 MySQL database server binaries ii php5-ldap 5.2.6.dfsg.1-1+lenny8 LDAP module for php5 moodle suggests no packages. -- debconf-show failed
Index: moodle/blog/lib.php =================================================================== --- moodle/blog/lib.php (revision 6) +++ moodle/blog/lib.php (revision 7) @@ -649,17 +649,21 @@ /// Find the base url from $_GET variables, for print_paging_bar + /// WARNING: EVIL EVIL EVIL! This function directly acesses $_GET which is a big no no. MDL-22631 + /// I added some clean_param() calls for now but $_GET should just not ever be used directly. + /// The function is totally gone in Moodle 2.0. function get_baseurl($filtertype, $filterselect) { - $getcopy = $_GET; - unset($getcopy['blogpage']); + unset($_GET['blogpage']); $strippedurl = strip_querystring(qualified_me()); - if(!empty($getcopy)) { + if(!empty($_GET)) { $first = false; $querystring = ''; - foreach($getcopy as $var => $val) { + foreach($_GET as $var => $val) { + $var = clean_param($var, PARAM_ALPHANUM); // See MDL-22631 + $val = clean_param($val, PARAM_CLEAN); if(!$first) { $first = true; if ($var != 'filterselect' && $var != 'filtertype') {