You may all wish to review Security Focus' vulnerability review, comparing Moodle to BB and WebCT. Amazingly, it states that the latest Moodle version shows no vulnerabilities, while the other folks do...hmmm, curiouser and curiouser...
http://securityfocus.com/bid/vendor/
dave
Hi Martin, sorry, didn't mean to imply anything, I was just seeking confirmation. Does SF take a while to change their reports? I can imagine they may be a bit left behind by the speed with which these things get fixed in the OSS community.
This is part of a big debate wrt security, a pretty big issue with our (California's) privacy laws, some of these holes in BB and WebCT are pretty alarming if they are still open.
Anyway, thanks for laying my fears to rest for at least one of the LMS's I'm responsible for.
It doesn't appear to say that in so many words. You have to look at the issues and see if they are closed. They only one they still have open is the glossary one, which was closed in 1.4.2 (see Martin's post on this thread).
The 2 Blackboard holes and the one WebCT that are still open are pretty alarming, as there is no report whether this is closed in BB 6.1 or WebCT CE (and those are core holes, also, not ones you could address by disabling a module).
That you could access someone else's digital drop box by guessing the URI on Blackboard is particularly alarming. Now that I've seen this we are going to have to spend a bunch of time seeing whether it is fixed and figuring out what to do about it if it isn't.
This is strange...yesterday when I looked it showed the various releases and clearly stated that 1.4.2 had no vulnerability issues. Maybe I clicked on a different area. Its that old age thing.
Dave
