MSA-17-0001: System file inclusion when adding own preset file in Boost theme

by Marina Glancy.  

Description:It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode.
Issue summary:System file inclusion when adding own preset file (Boost theme)
Severity/Risk:Minor
Versions affected:3.2
Versions fixed:3.2.1
Reported by:Frédéric Massart
Issue no.:MDL-56992
Workaround:Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied
CVE identifier:-
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56992

Read more https://moodle.org/mod/forum/discuss.php?d=345911&parent=1395030