| Topic: | Invalid application access control in MNET interface |
| Severity/Risk: | Major |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | Adrian Schlegel |
| Issue no.: | MDL-20639 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.16.2.10&r2=1.16.2.11 http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.9.2.7&r2=1.9.2.8 |
Description:
Adrian Schlegel reported a serious problem in the MNET implementation allowing execution of any MNET function from all registered remote servers. The server is vulnerable only when MNET services are enabled on the server.