| Topic: | No validation performed on email address setting |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | John Ehringer |
| Issue no.: | MDL-13572 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572 |
Description:
Additional validation is now performed at various stages. As well as ensuring emails are sent to valid addresses, this also prevents potential attacks.
| Topic: | rc4encrypt function uses hardcoded key |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Rajesh Taneja |
| Workaround | Manually change encryption key |
| Issue no.: | MDL-28948 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28948 |
Description:
Encryption and decryption of cookies and other values now use a key generated at install, rather than a fixed key.
| Topic: | New setting: CFG->forceloginforprofileimages |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Eloy Lafuente |
| Issue no.: | MDL-29844 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5 |
Description:
This config variable allows sites to prevent unauthenticated access to users' profile images.
| Topic: | Auto completion not disabled for password field in login form |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Andrea Bicciolo |
| Issue no.: | MDL-30336 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30336 |
Description:
An administration setting has been added that attempts to block browsers remembering users' passwords.
| Topic: | Forum's user.php exposes user details in 1.9.x |
| Severity: | Minor |
| Versions affected: | 1.9 to 1.9.15+ (later versions not affected) |
| Reported by: | Michael de Raadt |
| Issue no.: | MDL-30012 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_19_STABLE&st=commit&s=MDL-30012 |
Description:
Users' names were being revealed to users without appropriate access.
| Topic: | Recaptchalib.php improvements for https users |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | James Snell |
| Workaround: | Avoid using recaptcha |
| Issue no.: | MDL-27364 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27364 |
Description:
Recaptcha images were not being forced to be transmitted via SSL and some browsers were giving the option to hide insecure content when security was mixed, leaving captcha images missing.
| Topic: | When you send a message with user/action_redir you can see the emails although you had selected to hide to all |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.2+, 2.0 to 2.0.5+, 1.9 to 1.9.14+ |
| Reported by: | Fernando Graells |
| Issue no.: | MDL-20627 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=e94113a859015a4a80b9397957b8fc4044e2951f |
Description:
A user's email address was being revealed through the messaging interface, even when it should have been hidden.
| Topic: | CLI cron doesn't work if blockedip used |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected) |
| Reported by: | Ryan Smith |
| Issue no.: | MDL-29396 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=ade30ad3c420ce035a3d68287db701b70e806b3f |
| Workaround: | Avoid CLI or do not rely on IP blocking |
Description:
The command line interface for administration was not working when IP blocking was used. Removing blocked IPs allows the CLI to work but reduces security.
| Topic: | print_object in datalib.php should have some validation to make sure it's not exploited |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected) |
| Reported by: | Rajesh Taneja |
| Issue no.: | MDL-28947 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=187672608ec96659e07f2461b3b83634debd16cb |
| Workaround: | Avoid leaving debugging code behind |
Description:
Developers debugging a system may output object states, and the filtering of this output has now been strengthened.
| Topic: | webservice access tokens ignore login restrictions |
| Severity: | Serious |
| Versions affected: | 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-28629 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28629 |
| Workaround: | Turn off web services |
Description:
Web services were not checking all login restrictions when authenticating a user.