Bug#586280: marked as done (moodle: Cross Site Scripting vulnerability in blog/index.php)

Debian Bug Tracking System Wed, 30 Jun 2010 14:39:33 -0700

Your message dated Wed, 30 Jun 2010 21:34:44 +0000
with message-id <e1ou4vc-0000q1...@ries.debian.org>
and subject line Bug#586280: fixed in moodle 1.9.9-1
has caused the Debian Bug report #586280,
regarding moodle: Cross Site Scripting vulnerability in blog/index.php
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
586280: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586280
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: moodle
Version: 1.8.2.dfsg-3+lenny3
Severity: grave
Tags: security patch
Justification: user security hole

MSA-10-0011:
Topic: Cross Site Scripting vulnerability in blog/index.php
Severity: Critical
Versions affected: <1.8.13 and <1.9.9
Reported by: Emmanuel Bouillon
Issue no.: MDL-22631
Solution: upgrade to 1.8.13 or 1.9.9
Workaround: apply patch or disable blogs
http://git.moodle.org/gw?p=moodle.git;a=commit;h=1f283c9acdf7b6a5c08b2768d3bf89b1e162d421
http://cvs.moodle.org/moodle/blog/lib.php?r1=1.80.2.20&r2=1.80.2.21

Description:
Some parameters were not being properly cleaned on the blog index page, 
allowing non-persistent cross-site scripting (XSS) attacks.


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages moodle depends on:
ii  apache2-mpm-prefor 2.2.9-10+lenny7       Apache HTTP Server - traditional n
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripti
ii  mimetex            1.50-1+lenny1         LaTeX math expressions to anti-ali
ii  mysql-client-5.0 [ 5.0.51a-24+lenny4     MySQL database client binaries
ii  php5-cli           5.2.6.dfsg.1-1+lenny8 command-line interpreter for the p
ii  php5-curl          5.2.6.dfsg.1-1+lenny8 CURL module for php5
ii  php5-gd            5.2.6.dfsg.1-1+lenny8 GD module for php5
ii  php5-mysql         5.2.6.dfsg.1-1+lenny8 MySQL module for php5
ii  smarty             2.6.20-1.2            Template engine for PHP
ii  ucf                3.0016                Update Configuration File: preserv
ii  wwwconfig-common   0.1.2                 Debian web auto configuration
ii  yui                2.5.0-1               Yahoo User Interface Library
ii  zip                2.32-1                Archiver for .zip files

Versions of packages moodle recommends:
ii  mysql-server-5.0 [ 5.0.51a-24+lenny4     MySQL database server binaries
ii  php5-ldap          5.2.6.dfsg.1-1+lenny8 LDAP module for php5

moodle suggests no packages.

-- debconf-show failed

Index: moodle/blog/lib.php
===================================================================
--- moodle/blog/lib.php	(revision 6)
+++ moodle/blog/lib.php	(revision 7)
@@ -649,17 +649,21 @@
 
 
     /// Find the base url from $_GET variables, for print_paging_bar
+    /// WARNING:  EVIL EVIL EVIL!  This function directly acesses $_GET which is a big no no. MDL-22631
+    /// I added some clean_param() calls for now but $_GET should just not ever be used directly.  
+    /// The function is totally gone in Moodle 2.0.
     function get_baseurl($filtertype, $filterselect) {
 
-        $getcopy  = $_GET;
 
-        unset($getcopy['blogpage']);
+        unset($_GET['blogpage']);
 
         $strippedurl = strip_querystring(qualified_me());
-        if(!empty($getcopy)) {
+        if(!empty($_GET)) {
             $first = false;
             $querystring = '';
-            foreach($getcopy as $var => $val) {
+            foreach($_GET as $var => $val) {
+               $var = clean_param($var, PARAM_ALPHANUM);   // See MDL-22631
+               $val = clean_param($val, PARAM_CLEAN);
                 if(!$first) {
                     $first = true;
                     if ($var != 'filterselect' && $var != 'filtertype') {

--- End Message ---

--- Begin Message ---

Source: moodle
Source-Version: 1.9.9-1

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.9.9-1.debian.tar.gz
  to main/m/moodle/moodle_1.9.9-1.debian.tar.gz
moodle_1.9.9-1.dsc
  to main/m/moodle/moodle_1.9.9-1.dsc
moodle_1.9.9-1_all.deb
  to main/m/moodle/moodle_1.9.9-1_all.deb
moodle_1.9.9.orig.tar.gz
  to main/m/moodle/moodle_1.9.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 586...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tomasz Muras <nexor1...@gmail.com> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 23 Jun 2010 21:00:39 +0100
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.9.9-1
Distribution: unstable
Urgency: low
Maintainer: Moodle Packaging Team 
<pkg-moodle-maintain...@lists.alioth.debian.org>
Changed-By: Tomasz Muras <nexor1...@gmail.com>
Description: 
 moodle     - Course Management System for Online Learning
Closes: 585425 586280
Changes: 
 moodle (1.9.9-1) unstable; urgency=low
 .
   * Rewritten debian/rules
   * Removed unnecessary usr/share/moodle/update-notifier
   * New Upstream Version: 1.9.9
   * New upstream fixes CVE-2010-1619 (closes: #585425)
   * New upstream fixes MSA-10-0011 (closes: #586280)
Checksums-Sha1: 
 8e1bd6d6c913f2f1b68e716c0c71a96c578cca35 1337 moodle_1.9.9-1.dsc
 11f85f3b933bdc211c0590d480eccbd426cb9a31 13729451 moodle_1.9.9.orig.tar.gz
 4d644f30819ce64b71e3cb7aa99451c431a3a926 17362 moodle_1.9.9-1.debian.tar.gz
 82720d646c0c24cd86c1755f9999330a7fb3a5a9 10079970 moodle_1.9.9-1_all.deb
Checksums-Sha256: 
 66e4b09dcc5cc8d136a9590bb99d384825717e272845e3560dff900fabe3b76e 1337 
moodle_1.9.9-1.dsc
 da8080f4e161bd262d68320e27d0c80dfee1e9eb6eb32995ee3f5afaba3b8433 13729451 
moodle_1.9.9.orig.tar.gz
 8f82700f15fe52b2ba723c3e1da6f2d0158da606ca9739575a0080d99d2008ad 17362 
moodle_1.9.9-1.debian.tar.gz
 182a73be3c88d69c524c48a1ae08c8cbad1026ec7b895b4b137cd88efe55e62f 10079970 
moodle_1.9.9-1_all.deb
Files: 
 64c8aae6b95fd7efa2c5e45df5b24f3d 1337 web optional moodle_1.9.9-1.dsc
 3cf8f4dca5ed48537a44bc67e4636a15 13729451 web optional moodle_1.9.9.orig.tar.gz
 48091e2504a239cf1c6e37f208fffcfb 17362 web optional 
moodle_1.9.9-1.debian.tar.gz
 a6c149a34237385ea0ebed298dc4a106 10079970 web optional moodle_1.9.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwrr0QACgkQpDDGqoi7tR5L0QCgoYCg5Z1F44EaxoUFrF//hl/s
qDcAoMXRKnAJ4Fgo6E4rBX7zAWZdXyIQ
=a+7f
-----END PGP SIGNATURE-----

--- End Message ---

Bug#586280: marked as done (moodle: Cross Site Scripting vulnerability in blog/index.php)

Reply via email to