Security Announcements

 
 
Picture of Helen Foster
MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins
 
Topic: Login information can be sent unsecured when site is configured to use SSL for logins
Severity/Risk: Minor
Versions affected: <1.8.11 and <1.9.7
Reported by: Mike Churchward
Issue no.: MDL-20958
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: apply patch
http://cvs.moodle.org/moodle/login/index_form.html?r1=1.50.2.1&r2=1.50.2.2


Description:
Mike Churchward described a potential problem and proposed a solution that prevents sending of password via unsecured connection when SSL required only for logins.