Cybersecurity is the fastest rising concern across IT departments everywhere, and it has a special place for administrators of schools, colleges, and other learning organizations. But if your organization’s learning platform runs on Moodle, you might have less to worry about.
- MSA-18-0001: Server Side Request Forgery in the filepicker. A loophole in AJAX, a series of techniques that allow updating parts of a web page with new information without having to reload everything, allows any logged in user to get any valid URL of the site. Cloud-based Moodle sites were particularly at risk. Identified and patched on January 22.
- MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames. A safeguard put in place in Moodle 3.2, namely the “cURL blocked hosts list” that prevented access from direct URL addresses by certain user roles, seems able to be superseded by DNS manipulation. Identified and patched on January 22.
Make sure your site is updated to the latest build of your Moodle version to ensure it is properly patched. If possible, upgrade to Moodle 3.4.1.