Bug#338592: CVE assignments for moodle
Sorry, I've been to hasty: The redirection vulnerability in jumpto.php is CVE-2005-3649 and the SQL injection vulnerabilities are CVE-2005-3648. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#338592: CVE assignments for moodle
These are all fixed in 1.5.3. Well, to be exact about the SQL injection we found it was almost impossible to fix completely so we now just recommend correct PHP settings to overcome that problem. It turns out that the particular settings that allowed the SQL injection were actually quite rare. See http://security.moodle.org/ Cheers, Martin Moritz Muehlenhoff wrote: Sorry, I've been to hasty: The redirection vulnerability in jumpto.php is CVE-2005-3649 and the SQL injection vulnerabilities are CVE-2005-3648. Cheers, Moritz -- /// Moodle - open-source software for collaborative learning /// /// Free software, community, information: http://moodle.org /// Commercial support and other services: http://moodle.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#338592: CVE assignments for moodle
On Friday, 18 November 2005 15:32, Martin Dougiamas wrote: These are all fixed in 1.5.3. Well, to be exact about the SQL injection we found it was almost impossible to fix completely so we now just recommend correct PHP settings to overcome that problem. It turns out that the particular settings that allowed the SQL injection were actually quite rare. Thanks Martin. :) I've been following the SQL injection issue since it was announced. I'm just decreased the severity of the bug. I'll add a notice warning about having register_globals=on and magic_gpc_quotes=off in the new Moodle upload. Best regards -- Isaac Clerencia at Warp Networks, http://www.warp.es Work: [EMAIL PROTECTED] | Debian: [EMAIL PROTECTED] pgpTLhGG7NTgY.pgp Description: PGP signature