[Secure-testing-team] Bug#564526: moodle: User secrets on backup & restore CVE-2009-4303[2] Patch supplied
Vicm3
vicm3 at janus.ajusco.upn.mx
Sun Jan 10 00:22:28 UTC 2010
Package: moodle
Version: 1.8.2.dfsg-3+lenny2
Severity: grave
Tags: security
Justification: user security hole
CVE-2009-4303[2]:
| Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password
| hashes and (2) unspecified "secrets" in backup files, which might
| allow attackers to obtain sensitive information.
Searching on Moodle site I found the git commits that fixed this CVE, they are not complex so I think it's good idea to commit also to Debian Moodle.
http://git.moodle.org/gw?p=moodle.git;a=patch;h=306e851f93d67c6919f11d7c8910af301c57bbbf
Upstream data:
Bug MDL-20932 FIXED Get rid of user->secret in backup files (and ignore it on restore) Major Resolved
vicm3 at avalon:~$ svn diff -r3:4 moodle/backup/backuplib.php
Index: moodle/backup/backuplib.php
--- moodle/backup/backuplib.php (revision 3)
+++ moodle/backup/backuplib.php (revision 4)
@@ -1126,7 +1126,6 @@
fwrite ($bf,full_tag("LASTLOGIN",4,false,$user->lastlogin));
fwrite ($bf,full_tag("CURRENTLOGIN",4,false,$user->currentlogin));
fwrite ($bf,full_tag("LASTIP",4,false,$user->lastip));
- fwrite ($bf,full_tag("SECRET",4,false,$user->secret));
fwrite ($bf,full_tag("PICTURE",4,false,$user->picture));
fwrite ($bf,full_tag("URL",4,false,$user->url));
fwrite ($bf,full_tag("DESCRIPTION",4,false,$user->description));
vicm3 at avalon:~$ svn diff -r3:4 moodle/backup/restorelib.php
Index: moodle/backup/restorelib.php
--- moodle/backup/restorelib.php (revision 3)
+++ moodle/backup/restorelib.php (revision 4)
@@ -4670,9 +4670,6 @@
case "LASTIP":
$this->info->tempuser->lastip = $this->getContents();
break;
- case "SECRET":
- $this->info->tempuser->secret = $this->getContents();
- break;
case "PICTURE":
$this->info->tempuser->picture = $this->getContents();
break;
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (900, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages moodle depends on:
ii apache2-mpm-prefor 2.2.9-10+lenny6 Apache HTTP Server - traditional n
ii debconf [debconf-2 1.5.24 Debian configuration management sy
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii mimetex 1.50-1+lenny1 LaTeX math expressions to anti-ali
ii mysql-client-5.0 [ 5.0.51a-24+lenny2 MySQL database client binaries
ii php5-cli 5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii php5-curl 5.2.6.dfsg.1-1+lenny4 CURL module for php5
ii php5-gd 5.2.6.dfsg.1-1+lenny4 GD module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny4 MySQL module for php5
ii smarty 2.6.20-1.2 Template engine for PHP
ii ucf 3.0016 Update Configuration File: preserv
ii wwwconfig-common 0.1.2 Debian web auto configuration
ii yui 2.5.0-1 Yahoo User Interface Library
ii zip 2.32-1 Archiver for .zip files
Versions of packages moodle recommends:
ii mysql-server-5.0 [ 5.0.51a-24+lenny2 MySQL database server binaries
ii php5-ldap 5.2.6.dfsg.1-1+lenny4 LDAP module for php5
moodle suggests no packages.
-- debconf-show failed
More information about the Secure-testing-team
mailing list