Topic: | Login information can be sent unsecured when site is configured to use SSL for logins |
Severity/Risk: | Minor |
Versions affected: | <1.8.11 and <1.9.7 |
Reported by: | Mike Churchward |
Issue no.: | MDL-20958 |
Solution: | upgrade to 1.8.11 or 1.9.7 |
Workaround: | apply patch http://cvs.moodle.org/moodle/login/index_form.html?r1=1.50.2.1&r2=1.50.2.2 |
Description:
Mike Churchward described a potential problem and proposed a solution that prevents sending of password via unsecured connection when SSL required only for logins.