Our service provided indicated that when they tested Face-to-Face Module they identified a major security risk (hole) and alerted us that Face-to-Face Module was not safe to run/install. We are running Moodle 1.9.11. Could anyone shed some light on this? Is there a fix? This module does exactly what we need and we would like to use it. Thanks!
The feed back from your hosting provider which i have also received from them is as follows; "editattendees.php uses PARAM_RAW for a search string used to search the database. This is a serious SQL injection vulnerability. (this issue also exists in the 1.9 version".
i have no idea how potentially serious this is, but do know that other hosting providers don't seem to be so concerned about it.
Hi Glen and Jenna,
Although PARAM_RAW is used, the data is still escaped by Moodle so will not result in an SQL injection vulnerability, nor is the search string stored or displayed to the user so will not result in a XSS vulnerability either. In short this does not appear to be exploitable, however the user of PARAM_RAW is still less than ideal so I have updated the f2f module to use a more restrictive param type - this should keep your hosting company happy.
Thank you Alastair. This will be very helpful for organizations using Remote-Learner as a hosting provider in the US. Will you be able to make the same mod to the current 2.0 code?
Unfortunately I can't update the 2.0 version as it is hosted on a github account that I don't have access to. I could issue a pull request but noticed there has been one sitting there since the 31th of October that still hasn't been accepted so I'm not sure if they are being actively looked at. I will however message Jeremy Schweitzer and see if he can get it updated.
Alastair reached out to us and I think we've fixed this security issue in our 2.0 code. You can check it out here:
Very much appreciated. Thank you Jeremy and Alastair.
Yes. Thank You very much Jeremy and Alastair. Our service provider (Remote Learner) got the fix and certified it for use. We are thrilled to be able to use this Module. Thank You for your responsiveness and help. Much appreciated.