3 Moodle Updates Address 15 Security Vulnerabilities
Moodle HQ has posted three updates for three different branches of the Moodle learning management system, tackling a total of 15 recently discovered security vulnerabilities. The new versions also provide minor improvements and bug fixes.
The updates are available now for Moodle versions 1.9.x, 2.0.x, and 2.1.x.
Moodle is a free and open source learning management system designed for a wide range of organizations of varying sizes. It includes course management tools, tools for collaborative work, online assessments, integration with plagiarism detection software, integration with repositories and electronic portfolio software, and other features common to learning management systems. It's used by about 1.1 million teachers and more than 48 million users via 58,000 sites worldwide. Those users participate in some 5.1 million total courses as of this writing. (Updated statistics can be found on the Moodle Stats portal at Moodle HQ.)
Version 2.0.x and 2.1.x Fixes
The latest releases for 2.1.x and 2.0.x (Moodle 2.1.2 and Moodle 2.0.5) each address the same 12 security vulnerabilities. The issues addressed in the updates ranged from minor to serious; none were categorized as critical.
Among the security issues addressedin 2.1.2 and 2.0.5 were:
- Serious vulnerabilities related to wikis, including the potential for cross-site forgery;
- A minor issue involving display of categories and courses to which users might not have had rights;
- A serious issue with authentication involving the Box.net plugin;
- Serious issues with form contents being alterable by users;
- A serious issue involving the handling of SSL return codes;
- A serious issue involving community hubs;
- A serious issue with chat that could potentially expose users' names based on their IDs;
- A serious cross-site scripting vulnerability (also a "potential" vulnerability in 1.9.x if configured incorrectly);
- A minor issue with the display of user names; and
- A minor vulnerability that would allow guests to conduct global searches.
In addition to security fixes, Moodle 2.1.2 adds several small fixes and improvements to current functionality. These include:
- The option to delete a wiki page;
- HTML editor improvements;
- A fix for an issue involving viewing IMS packages;
- A fix for RSS feed autodiscovery;
- Improvements to LDAP support; and
- Improvements to quizzes.
Version 2.0.5 adds similar improvements, including the option to delete a wiki page.
Fixes for Version 1.9.x
In version 1.9.14, three additional security vulnerabilities have been addressed, including:
- A serious potential denial of service vulnerability involving message refresh;
- A potential (minor) injection attack vulnerability involving form data editing in the course section; and
- A serious vulnerability involving database injection.
Version 1.9.14 also adds improvements in the areas of automated backups and guest access to metacourses.
Moodle's developers are encouraging all users to upgrade to the latest appropriate release.
Moodle 2.1.2, 2.0.5, and 1.9.14 are available now as free downloads from the Moodle download page.
New Web Conferencing Integration
Unrelated to the security updates, Moodle HQ has launched a new hub for Web conferencing addons to Moodle, including new addons supporting integration with services like Adobe Connect Pro, BigBlueButton, and OpenMeetings.
The Web conferencing plugin directory is live now and accessible via Moodle.org.
The Road to Version 2.2 and Standards Compliance
In other Moodle news, open source services provider Moodlerooms announced Tuesday that its lending its support (and code) to ensure that the impending release of Moodle 2.2 is aligned with IMS Common Cartridge and Learning Tools Interoperability standards.
"Global IMS Common Cartridge and LTI compliance is crucial for the sustainability and future of open source learning management systems," said Lou Pugliese, Moodlerooms chairman and CEO, in a statement released Tuesday. "Moodlerooms is committed to making sure the 45 million user open source Moodle community is empowered with tools to facilitate flexible interoperability with content and technology applications critical in providing effective learning outcomes. Maintaining the interoperability ensured by IMS standards compliance continues to be central to our company vision."
Moodle 2.2 is expected to be released in December.