=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2010/VULN424
_____________________________________________________________________

DATE                      : 26/10/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Moodle versions prior to
                               1.9.10, 1.8.14 with YUI, phpCAS,
                               Customised HTML Purifier, phpMyAdmin.

======================================================================
http://moodle.org/mod/forum/discuss.php?d=160910
http://moodle.org/mod/forum/discuss.php?d=160857
http://moodle.org/mod/forum/discuss.php?d=160858
http://moodle.org/mod/forum/discuss.php?d=160811
______________________________________________________________________

MSA-10-0017: XSS vulnerability in YUI 2.4.0 through YUI 2.8.1

  	
Topic: 	XSS vulnerability in YUI 2.4.0 through YUI 2.8.1

Severity: 	Critical

Versions affected: 	< 1.9.10

Reported and coordinated by: 	YUI development team

Issue no.: 	MDL-24808

Solution: 	upgrade to Moodle 1.9.10 or replace the following vulnerable 
files as described in the linked YUI support document
/lib/yui/uploader/assets/uploader.swf
/lib/yui/charts/assets/charts.swf

Description:

Moodle 1.9.9 or older include YUI library 2.6.0 which is one of the 
vulnerable versions described in http://yuilibrary.com/support/2.8.2/, 
this makes all older versions of Moodle 1.9.x vulnerable.
________________________________________________________________________

MSA-10-0016: Multiple phpCAS library vulnerabilities

  	
Topic: 	Multiple phpCAS library vulnerabilities

Severity: 	Major

Versions affected: 	< 1.9.10 and < 1.8.14

Reported by: 	Multiple reporters
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3692

Issue no.: 	MDL-24789

Solution: 	Upgrade to latest release or if you do not use CAS 
authentication delete the /auth/cas/* directory

Description:

The CAS authentication plugin is using the phpCAS library internally. 
The latest version contains fixes for multiple security problems.
_______________________________________________________________________

MSA-10-0015: Customised HTML Purifier upgraded to 4.2.0
by Helen Foster - Monday, October 25, 2010, 07:25 PM
  	
Topic: 	Customised HTML Purifier upgraded to 4.2.0
Severity: 	Minor
Versions affected: 	< 1.9.10
Reported by: 	Upstream
Issue no.: 	MDL-24810
Solution: 	Upgrade to latest release or use standard KSES text cleaning 
engine

Description:

See http://htmlpurifier.org/
_____________________________________________________________________

MSA-10-0014: Customised phpMyAdmin upgraded to 2.11.11
by Petr Skoda (skodak) - Sunday, October 24, 2010, 07:19 PM
  	
Topic:
	Customised phpMyAdmin upgraded to 2.11.11
Severity:
	Major
Versions affected:
	all
Reported by:
	upstream
Issue no.:
	MDL-24555
Solution:
	Install latest package from 
http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs
Workaround:
	delete admin/mysql/*


Description:
http://www.phpmyadmin.net/home_page/news.php

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================