Moodle: Moodle Security

Moodle Security Procedures

We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.

We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites some time to upgrade or patch their installations.

We welcome reports of security issues and will work with reporters to fix problems and publicise patches to Moodle users as quickly as possible.

How can I report a security issue?

Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team (led by Petr Skoda) is able to resolve it and publish fixes to registered Moodle sites (see below).

How can I keep my site secure?

The usual way is to update your whole Moodle to the latest stable release of the version you are using. It is very safe to go from 1.8.1 to 1.8.2+, for example, at any time. CVS is a very easy way to do this.
Many of the notices will include patch information. If you are fairly confident with editing scripts, then it may be easier for you to just patch the affected file.

How can I keep track of recent security issues?

Register your Moodle sites with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume securityalerts mailing list.
Eventually, all important security issues are published to the general public via the forum on this page. You can subscribe to the RSS feed on this page to automatically add new issues in your favourite feed reader or portal. (Please note that security alerts prior to 2008 were made on a different site and do not appear here.)

Discussion		Last post
MSA-08-0027: customised PhpMyAdmin package upgraded to 2.11.9.3	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Nov 3, 2008, 07:30 AM
MSA-08-0026: customised HTML Purifier upgraded to 2.1.5	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:53 AM
MSA-08-0025: SQL injection in tags code	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:52 AM
MSA-08-0024: Overriding of frozen values in Moodle forms	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:50 AM
MSA-08-0023: CSRF in messaging setting	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:48 AM
MSA-08-0022: XSS through Wiki page titles	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:46 AM
MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:43 AM
MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:40 AM
MSA-08-0019: customised PhpMyAdmin package upgraded to 2.11.9.2	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Oct 20, 2008, 04:37 AM
MSA-08-0008: KSES related issues	Petr Škoda (škoďák)	Petr Škoda (škoďák) Tue, Sep 23, 2008, 03:22 AM
MSA-08-0018: customised PhpMyAdmin package upgraded to 2.11.8.1	Petr Škoda (škoďák)	Petr Škoda (škoďák) Tue, Jul 29, 2008, 08:19 PM
MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 23, 2008, 12:04 AM
MSA-08-0017: customised PhpMyAdmin upgraded to 2.11.7.1	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 03:26 PM
MSA-08-0016: Email could be changed in profile without confirmation	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 02:52 PM
MSA-08-0015: accessible profiles of deleted users	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 02:51 PM
MSA-08-0014: potential sql injection in events handling code	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 02:49 PM
MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 02:48 PM
MSA-08-0011: Potential webroot disclosures warning	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 02:47 PM
MSA-08-0010: sql injection in HotPot module	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 02:46 PM
MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter	Petr Škoda (škoďák)	Petr Škoda (škoďák) Wed, Jul 16, 2008, 02:45 PM
MSA-08-0007: imported phpMyAdmin 2.11.5.1	Petr Škoda (škoďák)	Petr Škoda (škoďák) Mon, Mar 31, 2008, 03:17 PM
MSA-08-0006: Moodle cookie path can not be restricted	Petr Škoda (škoďák)	Petr Škoda (škoďák) Sat, Jan 19, 2008, 01:58 AM
MSA-08-0005: Bypassing restriction on multiple file uploads	Petr Škoda (škoďák)	Petr Škoda (škoďák) Sat, Jan 19, 2008, 01:33 AM
MSA-08-0001: Access elevation in user edit form	Petr Škoda (škoďák)	Petr Škoda (škoďák) Thu, Jan 17, 2008, 09:49 PM
MSA-08-0003: Insufficient access control in Login as feature	Petr Škoda (škoďák)	Petr Škoda (škoďák) Thu, Jan 17, 2008, 09:49 PM
MSA-08-0002: register_globals=on not supported	Petr Škoda (škoďák)	Petr Škoda (škoďák) Thu, Jan 17, 2008, 09:49 PM
MSA-08-0004: XSS in install.php before installation	Petr Škoda (škoďák)	Petr Škoda (škoďák) Thu, Jan 17, 2008, 09:49 PM

You are here

Moodle Security Procedures

How can I report a security issue?

How can I keep my site secure?

How can I keep track of recent security issues?

See also