I think claiming to be SURE there's no such vulnerability in ALL the Moodle code is pretty brave, considering the overall coding style I wouldn't be THAT sure - as with any project of this size.
Therefore I recommend fighting Santy with some lines in the top-level .htaccess file or, if you can, in httpd.conf. For example:
RewriteEngine On
RewriteCond %{QUERY_STRING} cd%20/tmp
RewriteRule .* / [F]
or even more specificly targeting the Santy worm:
RewriteEngine OnInstead of "/" you could of course use another, very small file or redirect to somewhere else.
RewriteCond %{HTTP_USER_AGENT} .*LWP::Simple.*
RewriteRule .* / [F]
RewriteCond %{HTTP_USER_AGENT} .*lwp-.*
RewriteRule .* / [F]
Kind regards, Hannes