I take initiative and try to patch the most important bugs I could.
So, attached is a patch to various issues fixed with 1.8.12
Fixes back ported from 1.8.12
MSA-09-0032:
Topic: Vulnerability in KSES text cleaning
Severity: Major
Versions affected: <1.8.12 and <1.9.8
Reported by: Sam Marshall
Issue no.: MDL-21026
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: apply patch
http://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=lib/weblib.php;h=202e3e92813864fca71a153f0ea719eb0fa6e4d3;hp=29ffa15c6276f8118adfb29f4a34a978f094071a;hb=52860d13648f6b7f941c446f9e556f45be530c2d;hpb=e5d838ec77a1aeb1598b7cd26096baa35829b0d5
Also reported by Nico Golde as bug #585425 witch CVE
CVE-2010-1619[0]:
| Cross-site scripting (XSS) vulnerability in the
| fix_non_standard_entities function in the KSES HTML text cleaning
| library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x
| before 1.9.8, allows remote attackers to inject arbitrary web script
| or HTML via crafted HTML entities.
MSA-09-0033:
Topic: XSS vulnerabilty in the phpcas module
Severity: Major (if using CAS)
Versions affected: <1.8.12 and <1.9.8
Reported by: Joachim Fritschi
Issue no.: MDL-21802
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: use CAS/Client.php from latest release
http://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=auth/cas/CAS/client.php;h=965b87b82cbc5fa602377609dcd0eb6e7aa409aa;hp=2e4e593dc50cbb6f3b55a4dc07262faeec891da0;hb=1a74d63f8a71bd6812cd2b4d055d28ae45959b07;hpb=f2c36400950b17934970d3d929a972f98893ac8d
Not fixing too changed between 1.8.2 and 1.8.12
MSA-09-0034:
Topic: Disclosure of full user names
Severity: Minor - privacy
Versions affected: <1.8.12 and <1.9.8
Reported by: Klaus Kirchner
Issue no.: MDL-21830
http://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=user/view.php;h=6b6c048056f5f14988983bad1fe5807c9d2dadcf;hp=c5f2b784df7fe60173138a7db548f2b1610d1a74;hb=4597ce9ca5ca4f13bb75c3d8b117c2bf469745d0;hpb=4bbeff335774ffcc75c99e99e3923626c9445bb3
MSA-09-0036:
Topic: Incorrect validation of forms data
Severity: Critical
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21767
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: patch
http://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=lib/form/select.php;h=12fa7fa6834fa918da7c111c1428f801e695e8bc;hp=95a1fb4fe40d802e60ce266ad559bbcdd3f65340;hb=9770907db38aae67c2d07a09a41b42772e5b5e2c;hpb=668f994fe0f642c1aa748b837be2c498a6b92125
not fixing the class is too different between 1.8.2 and 1.8.12
MSA-09-0037:
Topic: Incorrect validation of forms data
Severity: Critical
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21767
Solution: upgrade to 1.8.12 or 1.9.8
not fixing the class is too different between 1.8.2 and 1.8.12
MSA-09-0038:
Topic: SQL injection in Wiki module
Severity: Critical
Versions affected: <1.8.12 and <1.9.8
Reported by: Matthew Slowe
Issue no.: MDL-21818
Solution: upgrade to 1.8.12 or 1.9.8
http://git.moodle.org/gw?p=moodle.git;a=commit;h=86a7b79b3c0fddcc8d9ba47674ccb533a3769778
MSA-09-0039:
Topic: Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine
Severity: Major (if global search enabled)
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21649
Solution: upgrade to 1.8.12 or 1.9.8
http://git.moodle.org/gw?p=moodle.git;a=commit;h=311956cf45f92ac83d515759134b80cce381f27b
MSA-09-0040:
Topic: Persistent XSS when using Login-as feature
Severity: Major
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21769
Solution: upgrade to 1.8.12 or 1.9.8
http://git.moodle.org/gw?p=moodle.git;a=commit;h=49ac14a86841ae12b540d6b68f29e4298d6c7607
Index: moodle/search/query.php
===================================================================
--- moodle/search/query.php (revision 4)
+++ moodle/search/query.php (working copy)
@@ -145,37 +145,37 @@
if (isset($vars)) {
foreach ($vars as $key => $value) {
- $adv->$key = stripslashes(htmlentities($value));
+ $adv->$key = stripslashes($value);
} //foreach
}
?>
<form id="query" method="get" action="query.php">
<?php if (!$advanced) { ?>
- <input type="text" name="query_string" length="50" value="<?php print stripslashes(htmlentities($query_string)) ?>" />
+ <input type="text" name="query_string" length="50" value="<?php print p(stripslashes($query_string)) ?>" />
<input type="submit" value="Search" />
<a href="query.php?a=1">Advanced search</a> |
<a href="stats.php">Statistics</a>
<?php } else {
print_simple_box_start('center', '', 'white', 10);
?>
- <input type="hidden" name="a" value="<?php print $advanced; ?>"/>
+ <input type="hidden" name="a" value="<?php print p($advanced); ?>"/>
<table border="0" cellpadding="3" cellspacing="3">
<tr>
<td width="240">These words must appear:</td>
- <td><input type="text" name="mustappear" length="50" value="<?php print $adv->mustappear; ?>" /></td>
+ <td><input type="text" name="mustappear" length="50" value="<?php print p($adv->mustappear;) ?>" /></td>
</tr>
<tr>
<td>These words must not appear:</td>
- <td><input type="text" name="notappear" length="50" value="<?php print $adv->notappear; ?>" /></td>
+ <td><input type="text" name="notappear" length="50" value="<?php print p($adv->notappear;) ?>" /></td>
</tr>
<tr>
<td>These words help improve rank:</td>
- <td><input type="text" name="canappear" length="50" value="<?php print $adv->canappear; ?>" /></td>
+ <td><input type="text" name="canappear" length="50" value="<?php print p($adv->canappear;) ?>" /></td>
</tr>
<tr>
@@ -195,12 +195,12 @@
<tr>
<td>Words in title:</td>
- <td><input type="text" name="title" length="50" value="<?php print $adv->title; ?>" /></td>
+ <td><input type="text" name="title" length="50" value="<?php print p($adv->title;) ?>" /></td>
</tr>
<tr>
<td>Author name:</td>
- <td><input type="text" name="author" length="50" value="<?php print $adv->author; ?>" /></td>
+ <td><input type="text" name="author" length="50" value="<?php print p($adv->author;) ?>" /></td>
</tr>
<tr>
@@ -256,7 +256,7 @@
print "<br />";
- print $hit_count." results returned for '".stripslashes($query_string)."'.";
+ print $hit_count." results returned for '".s(stripslashes($query_string))."'.";
print "<br />";
if ($hit_count > 0) {
@@ -295,4 +295,4 @@
print_simple_box_end();
print_footer();
-?>
\ No newline at end of file
+?>
Index: moodle/lib/weblib.php
===================================================================
--- moodle/lib/weblib.php (revision 4)
+++ moodle/lib/weblib.php (working copy)
@@ -1676,8 +1676,8 @@
default:
/// Fix non standard entity notations
- $text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text);
- $text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text);
+ $text = preg_replace('/�*([0-9]+);?/', "&#\\1;", $text);
+ $text = preg_replace('/�*([0-9a-fA-F]+);?/', "&#x\\1;", $text);
/// Remove tags that are not allowed
$text = strip_tags($text, $ALLOWED_TAGS);
Index: moodle/mod/wiki/view.php
===================================================================
--- moodle/mod/wiki/view.php (revision 4)
+++ moodle/mod/wiki/view.php (working copy)
@@ -10,7 +10,7 @@
require_once($CFG->libdir . '/ajax/ajaxlib.php');
require_js(array('yui_yahoo','yui_connection'));
- $ewiki_action = optional_param('ewiki_action', '', PARAM_ALPHA); // Action on Wiki-Page
+ $ewiki_action = null; // this is a bloody global which is set up elsewhere
$id = optional_param('id', 0, PARAM_INT); // Course Module ID, or
$wid = optional_param('wid', 0, PARAM_INT); // Wiki ID
$page = optional_param('page', false); // Wiki Page Name
@@ -262,10 +262,16 @@
addslashes("view.php?id=$cm->id&groupid=$groupid&userid=$userid&page=$ewiki_title"),
format_string($wiki->name,true).": ".$ewiki_title, $cm->id, $userid);
} else if ($ewiki_action != 'edit') {
- add_to_log($course->id, "wiki", $ewiki_action,
- addslashes("view.php?id=$cm->id&groupid=$groupid&userid=$userid&page=$ewiki_title"),
- format_string($wiki->name,true).": ".$ewiki_title, $cm->id, $userid);
- }
+ if (!in_array($ewiki_action, array('view', 'links', 'info'))) {
+ add_to_log($course->id, "wiki", 'bogus',
+ addslashes("view.php?id=$cm->id&groupid=$groupid&userid=$userid&page=$ewiki_title"),
+ format_string($wiki->name,true).": ".$ewiki_title, $cm->id, $userid);
+ } else {
+ add_to_log($course->id, "wiki", $ewiki_action,
+ addslashes("view.php?id=$cm->id&groupid=$groupid&userid=$userid&page=$ewiki_title"),
+ format_string($wiki->name,true).": ".$ewiki_title, $cm->id, $userid);
+ }
+}
/// Print the page header
Index: moodle/mod/journal/edit.html
===================================================================
--- moodle/mod/journal/edit.html (revision 4)
+++ moodle/mod/journal/edit.html (working copy)
@@ -15,7 +15,7 @@
?>
</td></tr>
<tr><td align="center">
-<?php print_textarea($usehtmleditor, 20, 60, 630, 400, "text", $entry->text); ?>
+<?php print_textarea($usehtmleditor, 20, 60, 630, 400, "text", clean_entry($entry->text, $entry->format)); ?>
</td></tr>
<tr><td align="center">
<?php
Index: moodle/user/view.php
===================================================================
--- moodle/user/view.php (revision 4)
+++ moodle/user/view.php (working copy)
@@ -78,7 +78,7 @@
}
} else { // Normal course
if (!has_capability('moodle/course:view', $coursecontext, $user->id, false)) {
- if (has_capability('moodle/course:view', $coursecontext)) {
+ if (has_capability('moodle/role:assign', $coursecontext)) {
print_header("$strpersonalprofile: ", "$strpersonalprofile: ",
"<a href=\"../course/view.php?id=$course->id\">$course->shortname</a> ->
<a href=\"index.php?id=$course->id\">$strparticipants</a> -> $fullname",
