MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames

by Marina Glancy.  

Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.


...
Severity/Risk:Minor
Versions
Leer más...

MSA-18-0001: Server Side Request Forgery in the filepicker

by Marina Glancy.  

By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server


...
Severity/Risk:Serious
Versions affected:3.4, 3.3 to 3.3.3, 3.2
Leer más...

MSA-17-0021: Students can find out email addresses of other students in the same course

by Marina Glancy.  

Using search on Participants page students could search email addresses of all participants regardless of email visibility. This allows to enumerate and guess emails of other students


...
Severity/Risk:Minor
Versions affected:3.3 to 3.3.2, 3.2 to 3.2.5, 3.1 to 3.1.8 and earlier unsupported versions
Versions fixed:3.4, 3.3.3, 3.2.6
Leer más...

MSA-17-0020: Admins may not know that exposing vendor directory is a security risk

by Marina Glancy.  

Directories vendor/ and node_modules/ that are created by composer and used during Moodle development may expose dangerous scripts to the web and should never be present on production sites. This issue adds a respective security check.

Manual action may be required from the site admin to remove composer-generated...

Leer más...