Security announcements

MSA-09-0028: Multiple backup/restore related issues

Picture of Helen Foster
MSA-09-0028: Multiple backup/restore related issues
Topic: Multiple backup/restore related issues
Severity/Risk: Critical
Versions affected: <1.8.11 and <1.9.7
Reported by: multiple reports
Issue no.: MDL-20838, MDL-20849, MDL-20939, MDL-20932
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: remove backup capability from all users

User password hashes and secrets are now never included in backup files. There are also new capabilities that control backup/restore of all user information (separately from the course data), and these are off by default. The admin has much better control over who has these capabilities, and the security overview report now gives a comprehensive picture of dangerous roles, overrides, users etc. Even if this capability is enabled, only enrolled users can be included in backup files.