Topic: | Message refreshing system may cause unlimited queries and DDos attack |
Severity: | Serious |
Versions affected: | < 1.9.14 (2.x not affected) |
Reported by: | Xavier Paz |
Issue no.: | MDL-29311 |
Solution: | upgrade to 1.9.14 |
Changes (1.9): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=97f258fabb3ebfa7acc7c02cb59de92b01710f99 |
Description:
Users could change the wait parameter from message/refresh.php to zero to cause a denial of service attack.