Cybersecurity is the fastest rising concern across IT departments everywhere, and it has a special place for administrators of schools, colleges, and other learning organizations. But if your organization’s learning platform runs on Moodle, you might have less to worry about.
Recently, Moodle HQ Development Process Manager Marina Glancy announced the identification of two vulnerabilities in the Moodle code, which were readily patched:
- MSA-18-0001: Server Side Request Forgery in the filepicker. A loophole in AJAX, a series of techniques that allow updating parts of a web page with new information without having to reload everything, allows any logged in user to get any valid URL of the site. Cloud-based Moodle sites were particularly at risk. Identified and patched on January 22.
- MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames. A safeguard put in place in Moodle 3.2, namely the “cURL blocked hosts list” that prevented access from direct URL addresses by certain user roles, seems able to be superseded by DNS manipulation. Identified and patched on January 22.
Make sure your site is updated to the latest build of your Moodle version to ensure it is properly patched. If possible, upgrade to Moodle 3.4.1.
This Moodle Practice related post is made possible by: eThink Education, a Certified Moodle Partner that provides a fully-managed Moodle experience including implementation, integration, cloud-hosting, and management services. To learn more about eThink, click here.