Security Announcements

 
 
Picture of Helen Foster
MSA-09-0026: Invalid application access control in MNET interface
 
Topic: Invalid application access control in MNET interface
Severity/Risk: Major
Versions affected: <1.8.11 and <1.9.7
Reported by: Adrian Schlegel
Issue no.: MDL-20639
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: apply patch
http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.16.2.10&r2=1.16.2.11
http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.9.2.7&r2=1.9.2.8


Description:
Adrian Schlegel reported a serious problem in the MNET implementation allowing execution of any MNET function from all registered remote servers. The server is vulnerable only when MNET services are enabled on the server.