Moodle.org: Security Announcements

Moodle Security Procedures

We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.

We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites some time to upgrade or patch their installations.

We welcome reports of security issues and will work with reporters to fix problems and publicise patches to Moodle users as quickly as possible.

How can I report a security issue?

Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team (led by Petr Skoda) is able to resolve it and publish fixes to registered Moodle sites (see below).

How can I keep my site secure?

It's good practice to always use the latest stable release of the version you are using. It is very safe to upgrade from 1.9.6 to 1.9.7+, for example, at any time. CVS is a very easy way to do this.

How can I keep track of recent security issues?

Register your Moodle sites with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume securityalerts mailing list.
Eventually, all important security issues are published to the general public via the forum on this page. You can subscribe to the RSS feed on this page to automatically add new issues in your favourite feed reader or portal. (Please note that security alerts prior to 2008 were made on a different site and do not appear here.) You can also follow moodlesecurity on Twitter.

Discussion		Replies	Last post
MSA-09-0030: New detection of insecure flash player plugins	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 05:36 AM
MSA-09-0031: SQL injection in SCORM module	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 05:01 AM
MSA-09-0029: Multiple password related issues	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:44 AM
MSA-09-0028: Multiple backup/restore related issues	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:39 AM
MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:32 AM
MSA-09-0026: Invalid application access control in MNET interface	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:28 AM
MSA-09-0025: Unneeded MD5 hashes removed from user table	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:22 AM
MSA-09-0024: Insufficient access control in glossary	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:18 AM
MSA-09-0023: User account disclosure in LAMS module	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:15 AM
MSA-09-0022: Multiple CSRF problems fixed	Helen Foster	0	Helen Foster Wed, Dec 2, 2009, 03:11 AM
MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Nov 3, 2009, 04:09 AM
MSA-09-0020: Teachers can view students' grades in all courses in the overview report	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Nov 3, 2009, 03:52 AM
MSA-09-0019: SQL injection in update_record	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Nov 3, 2009, 03:50 AM
MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Nov 3, 2009, 03:46 AM
MSA-09-0017: Upgrade code in 1.9 does not escape tags properly	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Nov 3, 2009, 03:43 AM
MSA-09-0016: Email not properly escaped on user edit page	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Nov 3, 2009, 03:41 AM
MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6	Petr Škoda (skodak)	0	Petr Škoda (skodak) Thu, Oct 15, 2009, 02:12 AM
MSA-09-0014: mimeTeX vulnerabilities	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Jul 21, 2009, 05:00 PM
MSA-09-0013: Customised PhpMyAdmin upgraded to 2.11.9.5	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, May 20, 2009, 10:28 PM
MSA-09-0012: SQL injections when importing outcomes	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, May 20, 2009, 07:01 PM
MSA-09-0011: Glossary, database and forum ratings are not verified after submission	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, May 20, 2009, 07:01 PM
MSA-09-0010: Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, May 20, 2009, 06:58 PM
MSA-09-0009: TeX filter file disclosure	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Apr 13, 2009, 10:46 PM
Prevent profile spam on your Moodle site	Martin Dougiamas	0	Martin Dougiamas Tue, Feb 10, 2009, 01:32 PM
MSA-09-0008: CSRF vulnerability in forum code	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 06:14 PM
MSA-09-0007: Missing input validation in logs allows potential XSS attacks	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 06:12 PM
MSA-09-0006: Calendar export may allow brute force attacks	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 06:08 PM
MSA-09-0005: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 06:08 PM
MSA-09-0004: XSS vulnerabilities in HTML blocks if "Login as" used	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 06:08 PM
MSA-09-0003: Vulnerability in Snoopy 1.2.3	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 06:07 PM
MSA-09-0002: User pix disclosure	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 05:52 PM
MSA-09-0001: No way easy to remove pictures of deleted users	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Feb 4, 2009, 05:49 PM
MSA-08-0002: register_globals=on not supported	Petr Škoda (skodak)	1	Petr Škoda (skodak) Tue, Dec 30, 2008, 06:55 AM
MSA-08-0028: customised PhpMyAdmin package upgraded to 2.11.9.4	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Dec 10, 2008, 09:00 AM
MSA-08-0027: customised PhpMyAdmin package upgraded to 2.11.9.3	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Nov 3, 2008, 07:30 AM
MSA-08-0026: customised HTML Purifier upgraded to 2.1.5	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:53 AM
MSA-08-0025: SQL injection in tags code	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:52 AM
MSA-08-0024: Overriding of frozen values in Moodle forms	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:50 AM
MSA-08-0023: CSRF in messaging setting	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:48 AM
MSA-08-0022: XSS through Wiki page titles	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:46 AM
MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:43 AM
MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:40 AM
MSA-08-0019: customised PhpMyAdmin package upgraded to 2.11.9.2	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Oct 20, 2008, 04:37 AM
MSA-08-0008: KSES related issues	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Sep 23, 2008, 03:22 AM
MSA-08-0018: customised PhpMyAdmin package upgraded to 2.11.8.1	Petr Škoda (skodak)	0	Petr Škoda (skodak) Tue, Jul 29, 2008, 08:19 PM
MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 23, 2008, 12:04 AM
MSA-08-0017: customised PhpMyAdmin upgraded to 2.11.7.1	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 03:26 PM
MSA-08-0016: Email could be changed in profile without confirmation	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 02:52 PM
MSA-08-0015: accessible profiles of deleted users	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 02:51 PM
MSA-08-0014: potential sql injection in events handling code	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 02:49 PM
MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 02:48 PM
MSA-08-0011: Potential webroot disclosures warning	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 02:47 PM
MSA-08-0010: sql injection in HotPot module	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 02:46 PM
MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter	Petr Škoda (skodak)	0	Petr Škoda (skodak) Wed, Jul 16, 2008, 02:45 PM
MSA-08-0007: imported phpMyAdmin 2.11.5.1	Petr Škoda (skodak)	0	Petr Škoda (skodak) Mon, Mar 31, 2008, 03:17 PM
MSA-08-0006: Moodle cookie path can not be restricted	Petr Škoda (skodak)	0	Petr Škoda (skodak) Sat, Jan 19, 2008, 01:58 AM
MSA-08-0005: Bypassing restriction on multiple file uploads	Petr Škoda (skodak)	0	Petr Škoda (skodak) Sat, Jan 19, 2008, 01:33 AM
MSA-08-0001: Access elevation in user edit form	Petr Škoda (skodak)	0	Petr Škoda (skodak) Thu, Jan 17, 2008, 09:49 PM
MSA-08-0003: Insufficient access control in Login as feature	Petr Škoda (skodak)	0	Petr Škoda (skodak) Thu, Jan 17, 2008, 09:49 PM
MSA-08-0004: XSS in install.php before installation	Petr Škoda (skodak)	0	Petr Škoda (skodak) Thu, Jan 17, 2008, 09:49 PM

You are here

Moodle Security Procedures

How can I report a security issue?

How can I keep my site secure?

How can I keep track of recent security issues?

See also