|Topic:||Vulnerability in Snoopy 1.2.3|
|Versions affected:||< 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9|
|Reported by:||Nigel McNie|
|Issue no.:||MDL-17110 / CVE-2008-4796|
|Solution:||update to latest releases, weeklies or patch lib/snoopy/*|
Snoopy 1.2.3 library does incorrect shell command escaping when fetching from https.
The easiest way to exploit this is probably RSS block on My moodle page - any registered user. Please note that Moodle 1.9.x uses Snoopy only if PHP Curl extension NOT installed because we have patched magpie to use our download_file_content() - see MDL-11845