Security announcements

MSA-08-0001: Access elevation in user edit form

Petr Skoda發表於
Topic:Access elevation in user edit form
Severity:Critical
Versions affected:1.5.x
<1.6.6
<1.7.3
Reported by:Gustav Delius
Issue no.:MDL-11663
Solution:upgrade to 1.6.6, 1.7.3 or any other latest stable release
Patches: MOODLE_16_STABLE http://cvs.moodle.org/moodle/user/edit.php?r1=1.112.2.4&r2=1.112.2.4.2.1
MOODLE_17_STABLE http://cvs.moodle.org/moodle/user/edit.php?r1=1.126.2.5&r2=1.126.2.6

Description:

Gustav Delius discovered and reported critical security problem in user editing interface which allows any registered user to significantly elevate his/her own permissions.

討論這一議題  (至今有 0 篇回應)

MSA-08-0002: register_globals=on not supported

Petr Skoda發表於
Topic:register_globals=on not supported
Severity:Critical
Versions affected:all past and future versions
Reported by:moodle.com
Issue no.: MDL-12914
Solution: set register_globals=off

Description:

Recently we have discovered several security problems in Moodle code exploitable when register_globals are enabled. This setting is considered to be highly problematic and is the most common source of security problems in PHP applications and PHP itself.

Due to the frequency of reported bugs in Moodle core and extensions caused by this obsoleted setting we have decided to stop supporting servers with register_globals=on completely. Please note that PHP developers do not considered this feature suitable for production servers and it will be completely removed in PHP6.

Latest Moodle versions print a warning on administration notification page if enabled register_globals detected. Please make sure all your servers are properly configured.

討論這一議題  (至今有 1 篇回應)