[VIM] Moodle issue - invalid vendor ack? and extra vulns

Steven M. Christey coley at linus.mitre.org
Fri Sep 22 18:49:07 EDT 2006


George, I looked into it and concur with your analysis.  The vendor fixed
the issue identified in the Bugtraq post.

This means we had a duplicate CVE (as you pointed out to me off-list).
The original was based on the vendor changelog, and the newer one was from
the researcher post.  Looks like some others got caught by this, too.

- Steve


======================================================
Name: CVE-2006-4785
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4785
Acknowledged: yes changelog
Announced: 20060912
Flaw: sql-inject
Reference: BUGTRAQ:20060917 Sql injection in Moodle
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/446227/100/0/threaded
Reference: CONFIRM:http://docs.moodle.org/en/Release_notes#Moodle_1.6.2
Reference: MLIST:[VIM] 20060919 Moodle issue - invalid vendor ack? and extra vulns
Reference: URL:http://www.attrition.org/pipermail/vim/2006-September/001038.html
Reference: MLIST:[VIM] 20060619 Re: Moodle issue - invalid vendor ack? and extra vulns
Reference: URL:http://www.attrition.org/pipermail/vim/2006-September/001040.html
Reference: BID:19995
Reference: URL:http://www.securityfocus.com/bid/19995
Reference: BID:20085
Reference: URL:http://www.securityfocus.com/bid/20085
Reference: FRSIRT:ADV-2006-3591
Reference: URL:http://www.frsirt.com/english/advisories/2006/3591
Reference: SECTRACK:1016877
Reference: URL:http://securitytracker.com/id?1016877
Reference: SECUNIA:21899
Reference: URL:http://secunia.com/advisories/21899
Reference: XF:moodle-unspecified-sql-injection(28904)
Reference: URL:http://xforce.iss.net/xforce/xfdb/28904
Reference: XF:moodle-edit-sql-injection(29001)
Reference: URL:http://xforce.iss.net/xforce/xfdb/29001

SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and
earlier allows remote attackers to execute arbitrary SQL commands via
the format parameter as stored in the $blogEntry variable, which is
not properly handled by the insert_record function, which calls
_adodb_column_sql in the adodb layer (lib/adodb/adodb-lib.inc.php),
which does not convert the data type to an int.


Analysis:
ACKNOWLEDGEMENT: The original discloser says "Version 1.6.2 has been
released (moodle.org)", but the changelog for 1.6.2 does not have any
specific information for this specific vuln, although it mentions many
other vulns.  The changelog does say "Undisclosed SQL injections fixed
by automatic data conversions in adodb layer."  However, CVE source
code analysis (Power) and reliable third party VIM followup analysis
show conclusively that the ACK is for this issue.


======================================================
Name: CVE-2006-4896
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4896
Acknowledged:
Announced:
Flaw:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2006-4785.  Reason:
This candidate is a duplicate of CVE-2006-4785.  Notes: All CVE users
should reference CVE-2006-4785 instead of this candidate.  All
references and descriptions in this candidate have been removed to
prevent accidental usage.




More information about the VIM mailing list