thr3ads.net - Secure testing team - [Secure-testing-team] Bug#668411: CVE-2012-1155: MSA-12-0013: Database activity export permission issue [Apr 2012]

If this information is useful, please help other people find it:
Share via:

Moritz Muehlenhoff

2012-Apr-11 17:07 UTC

[Secure-testing-team] Bug#668411: CVE-2012-1155: MSA-12-0013: Database activity export permission issue

Package: moodle
Severity: important
Tags: security

Out of the new Moodle security issues, only MSA-12-0013 affects sid and Squeeze:

MSA-12-0013: Database activity export permission issue
CVE-2012-1155

Topic:             database activity module entries exporting does
                   not respect separate groups
Severity/Risk:     Minor
Versions affected: 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+,
                   1.9 to 1.9.16+
Reported by:       Fr??d??ric Hoogstoel
Workaround:        Disable database content export for students
Issue no.:         MDL-25185
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-25185
Description:
The export function of the database activity module was exporting all
entries, including those from groups the user is a not member of.

This issue doesn''t warrant a DSA, but you could still fix it through a
point update.

Cheers,
        Moritz

Secure testing team - Apr 2012 - Bug#668411: CVE-2012-1155: MSA-12-0013: Database activity export permission issue

[Secure-testing-team] Bug#668411: CVE-2012-1155: MSA-12-0013: Database activity export permission issue