Liberadas las versiones de seguridad Moodle 1.9.3, Moodle 1.8.7, Moodle 1.7.6 y Moodle 1.6.8

Se han publicado nuevas versiones de que solucionan problemas de seguridad de esta aula virtual y es por tanto más que recomendable actualizar su sitio Web .

Si tiene contratado con nosotros las actualizaciones de seguridad durante 1 año (http://www.nosolored.com/shop/moodle/moodle-actualizar-moodle-tarifa-plana-anual-5.html)

debe icontactar con nosotros mediante e-mail (http://www.nosolored.com/contacto.html) para solicitar esta actualización.

Si no dispone de actualizaciones sin límite de Moodle durante 1 año puede contratar la actualización parcial por 40 € (IVA inc.) en la dirección siguiente:

http://www.nosolored.com/shop/moodle/moodle-actualizar-6.html

Recuerde que el paso de una versión inferior a una superior puede necesitar modificaciones en las plantillas. Estas modificaciones deben presupuestarse aparte
(Ejemplo de versiones 1.6.x a 1.8.x y/o 1.9.x).

De la versión 1.9.2 a la 1.9.3 no existen variaciones en el diseño de la plantilla.

Información en inglés:

==MSA-08-0019==

Topic: customised PhpMyAdmin upgraded to 2.11.9.2
Severity: MAJOR
Versions affected: all
Reported by: upstream PMASA-2008-8
Issue no.: MDL-16623
Solution: Install latest package from
http://moodle.org/mod/data/view.php?d=13&rid=448

Description:
see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-8

==MSA-08-0020==

Topic: quiz/questions capabilities lack some risk flags in
access.php files
Severity: MINOR
Versions affected: < 1.7.6, < 1.8.7, < 1.9.3
Reported by: internal code review
Issue no.: MDL-15819
Solution: update to latest releases

Description:
We have discovered during code review that some quiz
and questions related capabilities lack proper definition
of associated risks. Administrators should update sites or
at least review the changes in risk definitions in all quiz
and question related capabilities.

==MSA-08-0021==

Topic: design deficiency combined with incorrect use of
format_string() allowing XSS
Severity: HIGH
Versions affected: < 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by: Lars Vogdt
Issue no.: MDL-15823
Solution: Update to latest releases or patch format_string() function
1.6.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.581.4.12&r2=1.581.4.13
1.7.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.674.2.35&r2=1.674.2.36
1.8.x
http://cvs.moodle.org/moodle/lib/weblib.php?view=log&pathrev=MOODLE_18_STABLE
1.9.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.103&r2=1.970.2.104

Description:
Lars Vogdt reported a Cross Site Scripting (XSS) problem in
one script, during the evaluation we have realised that several
other places might be affected too. The problem was caused by
combination of incorrect use of format_string() and previous
design of this function. We have decided to prevent this and
any similar problems in future by adding more sanitisation into
format_string().

==MSA-08-0022==

Topic: XSS through Wiki page titles
Severity: HIGH
Versions affected: < 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by: Mike Churchward
Issue no.: MDL-15896
Solution: update to latest releases

Description:
Wiki page names were not sanitised on output, allowing
for potential cross site scripting (XSS) issues.

==MSA-08-0023==

Topic: CSRF in messaging setting
Severity: MAJOR
Versions affected: < 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3
Reported by: internal code review
Issue no.: MDL-16688
Solution: update to latest releases

Description:
The messaging settings page was exposed to a CSRF
vulnerability because it wasn’t protected by the
sesskey mechanism.

==MSA-08-0024==

Topic: Overriding of frozen values in Moodle forms
Severity: MINOR
Versions affected: < 1.8.7, < 1.9.3
Reported by: Ashley Holman
Issue no.: MDL-16839
Solution: update to latest releases

Description:
Anshley Holman reported that it is possible to side
step user profile locking mechanism. The cause of
this is in our quickforms integration, unfortunately
it can not be fixed without potential regressions.
We have decided to work around this problem by
using setConstant() together with hardFreeze().
Please update your code in a similar way if required.
The problem will be better resolved in 2.0.

==MSA-08-0025==

Topic: SQL injection in tags code
Severity: HIGH
Versions affected: 1.9.0, 1.9.1, 1.9.2
Reported by: D P
Issue no.: MDL-16585
Solution: update to latest release

Description:
SQL injection problem was reported in tag related code.
Please update your site or disable tags feature.

==MSA-08-0026==

Topic: customised HTML Purifier upgraded to 2.1.5
Severity: MINOR
Versions affected: 1.9.0, 1.9.1, 1.9.2
Reported by: upstream
Issue no.: MDL-16667
Solution: upgrade to latest release or use standard kses text cleaning engine

Description:
see http://htmlpurifier.org/