Security announcements

MSA-08-0008: KSES related issues

by Petr Skoda -
Topic: KSES related issues
Severity: Highly Critical
Versions affected: <1.6.7, <1.7.5, <1.8.5
Reported by: Łukasz Pilorz,
Issue no.: MDL-13705
Solution: update to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent weekly build
1/ use latest cvs version of /lib/kses.php - 1.6.x, 1.7.x, 1.8.x
2/ and patch /lib/weblib.php using - 1.6.x, 1.7.x, 1.8.x
Posted: Tue, 15 Apr 2008 21:43:49 GMT


During internal code review performed by, some weaknesses were discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses are part of many popular projects, including WordPress, Moodle, Drupal, eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from cross-site scripting to code execution, depending on implementation.

We received notice in advance from Łukasz Pilorz who later helped us to fix this and found another related problem in Moodle code.

There is a new option "Use HTML Purifier" in 1.9, it uses a different whitelisting technique which is considered to be much safer than KSES.

Note: severity of this issue was updated because automated exploit script was released to public and several sites were already compromised.

(Edited by Petr Škoda (škoďák) - original submission Tuesday, 15 April 2008, 9:43 PM)

MSA-08-0006: Moodle cookie path can not be restricted

by Petr Skoda -
Topic:Moodle cookie path can not be restricted
Versions affected: <1.8.4
Reported by:Kevin
Issue no.:MDL-11927
Solution: Upgrade to 1.8.4 or latest stable snapshot. Or use patch:


Starting with 1.8.4 version it is possible to limit the scope of Moodle session cookies through sessioncookiepath setting. Please note that using the same server name (ex: for Moodle installation and untrusted content (ex:") not recommended.

MSA-08-0005: Bypassing restriction on multiple file uploads

by Petr Skoda -
Topic:Bypassing restriction on multiple file uploads
Versions affected: <1.7.x
Reported by:Elites0ft Administrator
Issue no.:MDL-11783
Solution: Upgrade to 1.8.4 or latest stable snapshot.
In case of 1.7.x apply patch from

MSA-08-0004: XSS in install.php before installation

by Petr Skoda -
Topic:XSS in install.php before config.php created - no action required on working installations
Severity:Very low
Versions affected: 1.5.x
Reported by:Hanno Boeck (schokokeks)
Issue no.:MDL-12869
Solution: It is recommended to finish installation after uploading of Moodle files. Always use latest stable version for initial installation.

MSA-08-0003: Insufficient access control in Login as feature

by Petr Skoda -
Topic:Insufficient access control in Login as feature
Versions affected:1.8-1.8.3
Reported by:Johannes Kuhn
Issue no.: MDL-12911
Solution: upgrade to 1.8.4


Critical security problem was discovered in course/loginas.php script. Please make a full update or at least replace this file with latest version from 1.8.4.

MSA-08-0001: Access elevation in user edit form

by Petr Skoda -
Topic:Access elevation in user edit form
Versions affected:1.5.x
Reported by:Gustav Delius
Issue no.:MDL-11663
Solution:upgrade to 1.6.6, 1.7.3 or any other latest stable release


Gustav Delius discovered and reported critical security problem in user editing interface which allows any registered user to significantly elevate his/her own permissions.

MSA-08-0002: register_globals=on not supported

by Petr Skoda -
Topic:register_globals=on not supported
Versions affected:all past and future versions
Issue no.: MDL-12914
Solution: set register_globals=off


Recently we have discovered several security problems in Moodle code exploitable when register_globals are enabled. This setting is considered to be highly problematic and is the most common source of security problems in PHP applications and PHP itself.

Due to the frequency of reported bugs in Moodle core and extensions caused by this obsoleted setting we have decided to stop supporting servers with register_globals=on completely. Please note that PHP developers do not considered this feature suitable for production servers and it will be completely removed in PHP6.

Latest Moodle versions print a warning on administration notification page if enabled register_globals detected. Please make sure all your servers are properly configured.