Moderate severityNVD Advisory· Published Mar 25, 2013· Updated Apr 29, 2026
CVE-2013-1831
CVE-2013-1831
Description
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | <= 2.1.10 | — |
moodle/moodlePackagist | >= 2.2.0, < 2.2.8 | 2.2.8 |
moodle/moodlePackagist | >= 2.3.0, < 2.3.5 | 2.3.5 |
moodle/moodlePackagist | >= 2.4.0, < 2.4.2 | 2.4.2 |
Affected products
101cpe:2.3:a:moodle:moodle:1.1.1:*:*:*:*:*:*:*+ 100 more
- cpe:2.3:a:moodle:moodle:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.0:beta:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.13:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.14:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.13:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.14:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.15:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.16:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.17:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.18:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
Patches
42c7cdbb3b0b6MDL-36901: Remove system paths from exceptions
2 files changed · +40 −0
lib/setuplib.php+16 −0 modified@@ -526,6 +526,22 @@ function get_exception_info($ex) { $debuginfo .= PHP_EOL.'$a contents: '.print_r($a, true); } + // Remove some absolute paths from message and debugging info. + $searches = array(); + $replaces = array(); + $cfgnames = array('tempdir', 'cachedir', 'themedir', + 'langmenucachefile', 'langcacheroot', 'dataroot', 'dirroot'); + foreach ($cfgnames as $cfgname) { + if (property_exists($CFG, $cfgname)) { + $searches[] = $CFG->$cfgname; + $replaces[] = "[$cfgname]"; + } + } + if (!empty($searches)) { + $message = str_replace($searches, $replaces, $message); + $debuginfo = str_replace($searches, $replaces, $debuginfo); + } + // Be careful, no guarantee weblib.php is loaded. if (function_exists('clean_text')) { $message = clean_text($message);
lib/tests/setuplib_test.php+24 −0 modified@@ -71,4 +71,28 @@ public function test_get_docs_url_wwwroot() { $this->assertEquals($CFG->wwwroot . '/lib/tests/setuplib_test.php', get_docs_url('%%WWWROOT%%/lib/tests/setuplib_test.php')); } + + /** + * Test if get_exception_info() removes file system paths + */ + public function test_exception_info_removes_serverpaths() { + global $CFG; + + // This doesn't test them all possible ones, but these are set for unit tests. + $cfgnames = array('dataroot', 'dirroot', 'tempdir', 'cachedir'); + + $fixture = ''; + $expected = ''; + foreach ($cfgnames as $cfgname) { + if (!empty($CFG->$cfgname)) { + $fixture .= $CFG->$cfgname.' '; + $expected .= "[$cfgname] "; + } + } + $exception = new moodle_exception('generalexceptionmessage', 'error', '', $fixture, $fixture); + $exceptioninfo = get_exception_info($exception); + + $this->assertContains($expected, $exceptioninfo->message, 'Exception message does not contain system paths'); + $this->assertContains($expected, $exceptioninfo->debuginfo, 'Exception debug info does not contain system paths'); + } }
53c66110a878MDL-36901: Remove system paths from exceptions
2 files changed · +40 −0
lib/setuplib.php+16 −0 modified@@ -526,6 +526,22 @@ function get_exception_info($ex) { $debuginfo .= PHP_EOL.'$a contents: '.print_r($a, true); } + // Remove some absolute paths from message and debugging info. + $searches = array(); + $replaces = array(); + $cfgnames = array('tempdir', 'cachedir', 'themedir', + 'langmenucachefile', 'langcacheroot', 'dataroot', 'dirroot'); + foreach ($cfgnames as $cfgname) { + if (property_exists($CFG, $cfgname)) { + $searches[] = $CFG->$cfgname; + $replaces[] = "[$cfgname]"; + } + } + if (!empty($searches)) { + $message = str_replace($searches, $replaces, $message); + $debuginfo = str_replace($searches, $replaces, $debuginfo); + } + // Be careful, no guarantee weblib.php is loaded. if (function_exists('clean_text')) { $message = clean_text($message);
lib/tests/setuplib_test.php+24 −0 modified@@ -118,4 +118,28 @@ public function test_is_web_crawler() { $this->assertTrue(is_web_crawler(), "$agent should be considered a search engine"); } } + + /** + * Test if get_exception_info() removes file system paths + */ + public function test_exception_info_removes_serverpaths() { + global $CFG; + + // This doesn't test them all possible ones, but these are set for unit tests. + $cfgnames = array('dataroot', 'dirroot', 'tempdir', 'cachedir'); + + $fixture = ''; + $expected = ''; + foreach ($cfgnames as $cfgname) { + if (!empty($CFG->$cfgname)) { + $fixture .= $CFG->$cfgname.' '; + $expected .= "[$cfgname] "; + } + } + $exception = new moodle_exception('generalexceptionmessage', 'error', '', $fixture, $fixture); + $exceptioninfo = get_exception_info($exception); + + $this->assertContains($expected, $exceptioninfo->message, 'Exception message does not contain system paths'); + $this->assertContains($expected, $exceptioninfo->debuginfo, 'Exception debug info does not contain system paths'); + } }
b3daaada49a2MDL-36901: Remove system paths from exceptions
1 file changed · +16 −0
lib/setuplib.php+16 −0 modified@@ -478,6 +478,22 @@ function get_exception_info($ex) { $message = $module . '/' . $errorcode; } + // Remove some absolute paths from message and debugging info. + $searches = array(); + $replaces = array(); + $cfgnames = array('tempdir', 'cachedir', 'themedir', + 'langmenucachefile', 'langcacheroot', 'dataroot', 'dirroot'); + foreach ($cfgnames as $cfgname) { + if (property_exists($CFG, $cfgname)) { + $searches[] = $CFG->$cfgname; + $replaces[] = "[$cfgname]"; + } + } + if (!empty($searches)) { + $message = str_replace($searches, $replaces, $message); + $debuginfo = str_replace($searches, $replaces, $debuginfo); + } + // Be careful, no guarantee weblib.php is loaded. if (function_exists('clean_text')) { $message = clean_text($message);
8d220cb552d9MDL-36901: Remove system paths from exceptions
2 files changed · +40 −0
lib/setuplib.php+16 −0 modified@@ -526,6 +526,22 @@ function get_exception_info($ex) { $debuginfo .= PHP_EOL.'$a contents: '.print_r($a, true); } + // Remove some absolute paths from message and debugging info. + $searches = array(); + $replaces = array(); + $cfgnames = array('tempdir', 'cachedir', 'themedir', + 'langmenucachefile', 'langcacheroot', 'dataroot', 'dirroot'); + foreach ($cfgnames as $cfgname) { + if (property_exists($CFG, $cfgname)) { + $searches[] = $CFG->$cfgname; + $replaces[] = "[$cfgname]"; + } + } + if (!empty($searches)) { + $message = str_replace($searches, $replaces, $message); + $debuginfo = str_replace($searches, $replaces, $debuginfo); + } + // Be careful, no guarantee weblib.php is loaded. if (function_exists('clean_text')) { $message = clean_text($message);
lib/tests/setuplib_test.php+24 −0 modified@@ -118,4 +118,28 @@ public function test_is_web_crawler() { $this->assertTrue(is_web_crawler(), "$agent should be considered a search engine"); } } + + /** + * Test if get_exception_info() removes file system paths + */ + public function test_exception_info_removes_serverpaths() { + global $CFG; + + // This doesn't test them all possible ones, but these are set for unit tests. + $cfgnames = array('dataroot', 'dirroot', 'tempdir', 'cachedir'); + + $fixture = ''; + $expected = ''; + foreach ($cfgnames as $cfgname) { + if (!empty($CFG->$cfgname)) { + $fixture .= $CFG->$cfgname.' '; + $expected .= "[$cfgname] "; + } + } + $exception = new moodle_exception('generalexceptionmessage', 'error', '', $fixture, $fixture); + $exceptioninfo = get_exception_info($exception); + + $this->assertContains($expected, $exceptioninfo->message, 'Exception message does not contain system paths'); + $this->assertContains($expected, $exceptioninfo->debuginfo, 'Exception debug info does not contain system paths'); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-xr24-jp5c-6c4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-1831ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.htmlnvdWEB
- openwall.com/lists/oss-security/2013/03/25/2nvdWEB
- github.com/moodle/moodle/commit/2c7cdbb3b0b6ba4dd64297463d37a5acbd730216ghsaWEB
- github.com/moodle/moodle/commit/53c66110a878f4f4644728138ea97c22990263e3ghsaWEB
- github.com/moodle/moodle/commit/8d220cb552d9c55b98aef70e2f40ef560efeb79bghsaWEB
- github.com/moodle/moodle/commit/b3daaada49a2dd83a4f1e832465d5c318f9f275cghsaWEB
- moodle.org/mod/forum/discuss.phpnvdWEB
News mentions
0No linked articles in our index yet.