More Major Moodle Security Vulnerabilities Discovered
Moodle, the open source learning management system, has been plagued with major security and privacy vulnerabilities over the past couple of years with the severity of those issues seeming to be on a sharp upward trajectory. Information about another batch of very serious security and privacy issues was released yesterday (Saturday, 27 March 2010) with notice that everyone needed to upgrade.
Understand…these issues weren’t discovered yesterday…they have been in your codebase for a very long time…they were simply released yesterday to a select few people.
The details of those security and privacy vulnerabilities were sent out to a mailing list on Saturday to every hacker in the world who has bothered to subscribe to the list…subscription to this “advanced notice” list is as simple as pushing one button with no verification of identity required. Ironically, if you look at the release notice for Moodle 1.9.8, this is what you see about the security issues:
The irony?:
1. The details of these very serious issues have already been emailed out to every hacker subscribed to that list by the Moodle lead developer himself. On Monday morning, Moodle admins (who happen to be subscribed to this list) will discover what hackers have known since at least Saturday and probably much longer.
2. By Moodle’s own figures, only 0.001666% of its users are actually subscribed to this security list–of course, they have no way of knowing how many of those actual subscribers are not Moodle admins at all, but are would-be hackers waiting for their “advanced notice”.
“The software is used by 27 million people worldwide, but only 45,000 are officially registered, so it is difficult for Moodle.com to alert everyone.”
3. By Moodle’s own figures, that means over 99% of the users have not been notified by this “advanced” notification system.
4. The notice was send out yesterday and it is already posted all over the web–of course, none of the places where it is posted are places Moodle users would be visiting…one, of many: http://pastebin.com/gQyWEszM You can Google for others…
If you are using Moodle in any kind of real-world situation, then you should be very concerned not only about the recent flurry of major security issues plaguing the software, but also about the way official notice is being sent out to hackers while the user-base at large is kept in the dark.
As I’ve said before, it’s my belief that at the same time these issues are sent out to that list, they should also be plastered across the moodle.org homepage and posted to every moodle blog, website, twitter account, etc., to give everyone a fighting chance of defending their sites against would-be hackers.
Just the opinion of one informed user who is not affiliated with Moodle.
Interesting, I have no notice that I need to upgrade immediately. Nor will one find one on the Moodle site. 1.98 has been released and I was informed of that. As installer/manager/user of a Moodle site, which apparently you are not, the upgrades come out pretty regularly, only a few have had a notice to upgrade immediately. Upgrading is really pretty easy anyway. Last upgrade took me 30 min.
So, are you paid by Blackboard for the postings?
Blackboard is not compatible with IE8 or the latest Firefox, (according to the last time I was on our state’s server – I am certified to teach on Blackboard).
Other than using Moodle, I am not affiliated with them, however, I find each version easier and easier to install and use, much more so than Blackboard or some of the other LMS systems.
@Carl: Sounds like you’re a certified expert…congrats
As an experienced sysadmin, what I find unacceptable about the way Moodle handles security problems is the way they seem to sit on them and only release fixes in batches. Each time they release a security notice, it contains several major security issues that they have known about for a very long time. That is no way to run an security program.
When a major security vulnerability is discovered a patch should be provided and users should be notified immediately. I’ve seen phpBB release three patches in a single week to address vulnerabilities. Sure, some people complain about it and phpBB may even get a bad rap about program security when fixes come out that fast, but experienced admins have far more trust in a system like phpBB, knowing they will be notified immediately when security issues are identified than in a system like Moodle where everyone is kept in the dark about security problems for months at a time until they decide to notify uers of next batch of problems with and do a new release. Think about it. Have you ever received a notice of a single major Moodle security with a patch to address it? I haven’t.