Our service provided indicated that when they tested Face-to-Face Module they identified a major security risk (hole) and alerted us that Face-to-Face Module was not safe to run/install. We are running Moodle 1.9.11. Could anyone shed some light on this? Is there a fix? This module does exactly what we need and we would like to use it. Thanks!
Hi Glen,
The feed back from your hosting provider which i have also received from them is as follows; "editattendees.php uses PARAM_RAW for a search string used to search the database. This is a serious SQL injection vulnerability. (this issue also exists in the 1.9 version".
i have no idea how potentially serious this is, but do know that other hosting providers don't seem to be so concerned about it.
Jenna
Hi Glen and Jenna,
Although PARAM_RAW is used, the data is still escaped by Moodle so will not result in an SQL injection vulnerability, nor is the search string stored or displayed to the user so will not result in a XSS vulnerability either. In short this does not appear to be exploitable, however the user of PARAM_RAW is still less than ideal so I have updated the f2f module to use a more restrictive param type - this should keep your hosting company happy.
Cheers,
Alastair
The latest code in the git repo at https://github.com/totara/facetoface-1.9 has the fix in. I'll get a packaged release out tomorrow that will include this patch.
Cheers,
Alastair
Hi Jenna,
Unfortunately I can't update the 2.0 version as it is hosted on a github account that I don't have access to. I could issue a pull request but noticed there has been one sitting there since the 31th of October that still hasn't been accepted so I'm not sure if they are being actively looked at. I will however message Jeremy Schweitzer and see if he can get it updated.
Cheers,
Alastair
Jenna,
Alastair reached out to us and I think we've fixed this security issue in our 2.0 code. You can check it out here: