| Topic: | Message refreshing system may cause unlimited queries and DDos attack |
| Severity: | Serious |
| Versions affected: | < 1.9.14 (2.x not affected) |
| Reported by: | Xavier Paz |
| Issue no.: | MDL-29311 |
| Solution: | upgrade to 1.9.14 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=97f258fabb3ebfa7acc7c02cb59de92b01710f99 |
Description:
Users could change the wait parameter from message/refresh.php to zero to cause a denial of service attack.