|Topic:||Imported phpMyAdmin 126.96.36.199|
|Versions affected:||All previous versions (only if this module installed)
|Reported by:||phpMyAdmin security announcements|
|Solution:||Update admin/mysql/ using cvs or download latest version from http://moodle.org/mod/data/view.php?d=13&rid=448|
|Topic:||Moodle cookie path can not be restricted|
Upgrade to 1.8.4 or latest stable snapshot. Or use patch:|
Starting with 1.8.4 version it is possible to limit the scope of Moodle session cookies through sessioncookiepath setting. Please note that using the same server name (ex: www.example.com) for Moodle installation and untrusted content (ex: www.example.com/~somestudent") not recommended.
|Topic:||Bypassing restriction on multiple file uploads|
|Reported by:||Elites0ft Administrator|
Upgrade to 1.8.4 or latest stable snapshot.|
In case of 1.7.x apply patch from http://cvs.moodle.org/moodle/mod/assignment/type/upload/assignment.class.php?r1=188.8.131.52&r2=184.108.40.206
|Topic:||XSS in install.php before config.php created - no action required on working installations|
|Reported by:||Hanno Boeck (schokokeks)|
|Solution:||It is recommended to finish installation after uploading of Moodle files. Always use latest stable version for initial installation.|
|Topic:||Insufficient access control in Login as feature|
|Reported by:||Johannes Kuhn|
|Solution:||upgrade to 1.8.4|
Critical security problem was discovered in course/loginas.php script. Please make a full update or at least replace this file with latest version from 1.8.4.
|Topic:||Access elevation in user edit form|
|Reported by:||Gustav Delius|
|Solution:||upgrade to 1.6.6, 1.7.3 or any other latest stable release|
MOODLE_16_STABLE http://cvs.moodle.org/moodle/user/edit.php?r1=220.127.116.11&r2=18.104.22.168.2.1 |
Gustav Delius discovered and reported critical security problem in user editing interface which allows any registered user to significantly elevate his/her own permissions.
|Topic:||register_globals=on not supported|
|Versions affected:||all past and future versions|
Recently we have discovered several security problems in Moodle code exploitable when register_globals are enabled. This setting is considered to be highly problematic and is the most common source of security problems in PHP applications and PHP itself.
Due to the frequency of reported bugs in Moodle core and extensions caused by this obsoleted setting we have decided to stop supporting servers with register_globals=on completely. Please note that PHP developers do not considered this feature suitable for production servers and it will be completely removed in PHP6.
Latest Moodle versions print a warning on administration notification page if enabled register_globals detected. Please make sure all your servers are properly configured.