Moodle.org: Security Announcements

Moodle Security Procedures

We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.

We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites some time to upgrade or patch their installations.

We welcome reports of security issues and will work with reporters to fix problems and publicise patches to Moodle users as quickly as possible.

How can I report a security issue?

Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team (led by Petr Skoda) is able to resolve it and publish fixes to registered Moodle sites (see below).

How can I keep my site secure?

It's good practice to always use the latest stable release of the version you are using. It is very safe to upgrade from 1.9.6 to 1.9.7+, for example, at any time. CVS is a very easy way to do this.

How can I keep track of recent security issues?

Register your Moodle sites with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume securityalerts mailing list.
Eventually, all important security issues are published to the general public via the forum on this page. You can subscribe to the RSS feed on this page to automatically add new issues in your favourite feed reader or portal. (Please note that security alerts prior to 2008 were made on a different site and do not appear here.) You can also follow moodlesecurity on Twitter.

Debat		Respostes	Darrer missatge
MSA-09-0030: New detection of insecure flash player plugins	Helen Foster	0	Helen Foster dc, 2 des 2009, 05:36
MSA-09-0031: SQL injection in SCORM module	Helen Foster	0	Helen Foster dc, 2 des 2009, 05:01
MSA-09-0029: Multiple password related issues	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:44
MSA-09-0028: Multiple backup/restore related issues	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:39
MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:32
MSA-09-0026: Invalid application access control in MNET interface	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:28
MSA-09-0025: Unneeded MD5 hashes removed from user table	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:22
MSA-09-0024: Insufficient access control in glossary	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:18
MSA-09-0023: User account disclosure in LAMS module	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:15
MSA-09-0022: Multiple CSRF problems fixed	Helen Foster	0	Helen Foster dc, 2 des 2009, 03:11
MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 3 nov 2009, 04:09
MSA-09-0020: Teachers can view students' grades in all courses in the overview report	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 3 nov 2009, 03:52
MSA-09-0019: SQL injection in update_record	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 3 nov 2009, 03:50
MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 3 nov 2009, 03:46
MSA-09-0017: Upgrade code in 1.9 does not escape tags properly	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 3 nov 2009, 03:43
MSA-09-0016: Email not properly escaped on user edit page	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 3 nov 2009, 03:41
MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6	Petr Škoda (skodak)	0	Petr Škoda (skodak) dj, 15 oct 2009, 02:12
MSA-09-0014: mimeTeX vulnerabilities	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 21 jul 2009, 17:00
MSA-09-0013: Customised PhpMyAdmin upgraded to 2.11.9.5	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 20 mai 2009, 22:28
MSA-09-0012: SQL injections when importing outcomes	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 20 mai 2009, 19:01
MSA-09-0011: Glossary, database and forum ratings are not verified after submission	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 20 mai 2009, 19:01
MSA-09-0010: Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 20 mai 2009, 18:58
MSA-09-0009: TeX filter file disclosure	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 13 abr 2009, 22:46
Prevent profile spam on your Moodle site	Martin Dougiamas	0	Martin Dougiamas dt, 10 feb 2009, 13:32
MSA-09-0008: CSRF vulnerability in forum code	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 18:14
MSA-09-0007: Missing input validation in logs allows potential XSS attacks	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 18:12
MSA-09-0006: Calendar export may allow brute force attacks	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 18:08
MSA-09-0005: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 18:08
MSA-09-0004: XSS vulnerabilities in HTML blocks if "Login as" used	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 18:08
MSA-09-0003: Vulnerability in Snoopy 1.2.3	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 18:07
MSA-09-0002: User pix disclosure	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 17:52
MSA-09-0001: No way easy to remove pictures of deleted users	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 4 feb 2009, 17:49
MSA-08-0002: register_globals=on not supported	Petr Škoda (skodak)	1	Petr Škoda (skodak) dt, 30 des 2008, 06:55
MSA-08-0028: customised PhpMyAdmin package upgraded to 2.11.9.4	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 10 des 2008, 09:00
MSA-08-0027: customised PhpMyAdmin package upgraded to 2.11.9.3	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 3 nov 2008, 07:30
MSA-08-0026: customised HTML Purifier upgraded to 2.1.5	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:53
MSA-08-0025: SQL injection in tags code	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:52
MSA-08-0024: Overriding of frozen values in Moodle forms	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:50
MSA-08-0023: CSRF in messaging setting	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:48
MSA-08-0022: XSS through Wiki page titles	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:46
MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:43
MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:40
MSA-08-0019: customised PhpMyAdmin package upgraded to 2.11.9.2	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 20 oct 2008, 04:37
MSA-08-0008: KSES related issues	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 23 set 2008, 03:22
MSA-08-0018: customised PhpMyAdmin package upgraded to 2.11.8.1	Petr Škoda (skodak)	0	Petr Škoda (skodak) dt, 29 jul 2008, 20:19
MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 23 jul 2008, 00:04
MSA-08-0017: customised PhpMyAdmin upgraded to 2.11.7.1	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 15:26
MSA-08-0016: Email could be changed in profile without confirmation	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 14:52
MSA-08-0015: accessible profiles of deleted users	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 14:51
MSA-08-0014: potential sql injection in events handling code	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 14:49
MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 14:48
MSA-08-0011: Potential webroot disclosures warning	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 14:47
MSA-08-0010: sql injection in HotPot module	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 14:46
MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter	Petr Škoda (skodak)	0	Petr Škoda (skodak) dc, 16 jul 2008, 14:45
MSA-08-0007: imported phpMyAdmin 2.11.5.1	Petr Škoda (skodak)	0	Petr Škoda (skodak) dl, 31 mar 2008, 15:17
MSA-08-0006: Moodle cookie path can not be restricted	Petr Škoda (skodak)	0	Petr Škoda (skodak) ds, 19 gen 2008, 01:58
MSA-08-0005: Bypassing restriction on multiple file uploads	Petr Škoda (skodak)	0	Petr Škoda (skodak) ds, 19 gen 2008, 01:33
MSA-08-0001: Access elevation in user edit form	Petr Škoda (skodak)	0	Petr Škoda (skodak) dj, 17 gen 2008, 21:49
MSA-08-0003: Insufficient access control in Login as feature	Petr Škoda (skodak)	0	Petr Škoda (skodak) dj, 17 gen 2008, 21:49
MSA-08-0004: XSS in install.php before installation	Petr Škoda (skodak)	0	Petr Škoda (skodak) dj, 17 gen 2008, 21:49

Sou aquí

Moodle Security Procedures

How can I report a security issue?

How can I keep my site secure?

How can I keep track of recent security issues?

See also