I recently wrote a small article for CMS Report about Moodle 1.9. One of the site’s contributors has let me know that there is a cross-site request forgery (CSRF) vulnerability that hackers have used on older builds of Moodle. According to The Register:
Twenty schools’ sites have fallen victim to the spoofed or defaced web page porn assault, the Times Educational Supplement reports. Many of the sites use Moodle, an open source content management system that is used to create online learning sites, sparking the theory that flaws in older versions of the package have been used to mount the attacks.
The Register article continues:
If vulnerabilities in Moodle are indeed the cause of the attack then … a Moodle script insertion and cross-site request forgery flaw (here) as the likely candidate. Another Moodle bug (here) is another possibility.
Moodle.org are taking this very seriously. According to their Security page, this is a Sev Critical issue, and they recommend that all Moodle users install the latest Moodle package from http://moodle.org/mod/data/view.php?d=13&rid=448.
Be warned…
–
