An e-mail from Martin Dougiamas to Moodle admins:

Hi,

Two things you should know about as a registered Moodle admin:

Firstly, a reminder to keep your Moodle sites upgraded to prevent security issues.  Using recent weekly versions such as 1.9.4+
(http://download.moodle.org/) will help ensure your site is protected.
Some recent security announcements are at http://moodle.org/security and there is documentation about upgrading Moodle here:  http://docs.moodle.org/en/Upgrading

Secondly, please note that some Moodle interface changes are planned to arrive in stable CVS in a week or two, so be warned that the Gradebook may have a new (and we hope you agree it’s better!) appearance.  This sort of change is a very rare occurrence in a stable branch as we take stability seriously.  In this case, however, there were several important usability and calculation issues raised by the community and the benefits of these fixes are large enough to justify the change in 1.9.5 (and 2.0 of course).  Please make sure your teachers are all aware of this change before you upgrade, and make sure you are prepared for it.  Avoid upgrading during a busy assessment period, for example.

Exact details about the Gradebook changes (Stage 1) are on this page:

http://docs.moodle.org/en/Development:Gradebook_improvements_in_Moodle_1.9.5

and you can read Helen’s recent announcement here:

http://moodle.org/mod/forum/discuss.php?d=120167

If you have any issues about the gradebook interface changes PLEASE let us know as soon as possible:

http://moodle.org/mod/forum/discuss.php?d=119925

If you have any questions about upgrading or general Moodle issues please start with http://moodle.org/support.

(Please don’t respond to this email – I get more email than I can handle already)

Cheers,
Martin Dougiamas (Lead Developer)

I received this email last night:

Hi Moodle Admins,

A serious problem with the TeX and algebra filters (used for mathematics notation in Moodle) has been found which could allow attackers to access server files.

If you don’t use TeX and algebra notation in your site then you should:

A) Simple disable the TeX and algebra filters completely for now:

Admin > Modules > Filters > Manage Filters

Otherwise you should:

B) Update your Moodle site to the latest weekly version from this week, or
C) Copy the latest files from filter/tex/* into your current install.

The full copy of the security notice MSA-09-0009 is shown below – this will be added to http://moodle.org/security to inform the wider Moodle community sometime next week.

Disclosure Link: http://packetstormsecurity.org/0903-exploits/moodle-disclose.txt

Martin Dougiamas tells us how to prevent spam

“One of the most common security issues that we see in Moodle sites is profile spam.

Profile spam is primarily a problem on sites with the combination of these two settings:

1. email authentication is enabled, allowing people to self-create an account on the site
2. the admin setting forceloginforprofiles is disabled, allowing anyone to see and link to user profiles

Some older versions of Moodle had these as default.

The problems with these settings is that spammers can create a page on the Moodle site which they can fill with links and pictures of porn and other nasty stuff. This in turn comes up in Google searches for those things, and is used to boost ratings to porn sites or hacking sites designed to take over your personal computer. Note that this content is designed for people using search engines, and is usually not available from within the Moodle site itself (since spammers don’t join any courses) so users and admins are usually not even aware their site is having this problem.

Please pass the word to all Moodle admins that you know to check these Moodle site settings and make sure their sites are not vulnerable to profile spam. Email authentication should be disabled if not needed, and if it can’t then forceloginforprofiles should definitely be enabled.

Please also use our spam-cleaning tool to scan your site to find affected profiles and delete them. This page in the docs has more details: Reducing_spam_in_Moodle and you can also get help in the Security and Privacy forum.” – from Moodle.org Moodle Announcements

Source: Moodle.org Moodle Announcements

Moodle has released updates to four of its most recent branches. The latest point update, 1.9.4, addresses security vulnerabilities and includes a number of minor fixes and enhancements to the open source learning management system. – from THE Journal: read more

Martin Dougiamas also speaks about this in the Moodle Announcement: New releases: Moodle 1.9.4, 1.8.8, 1.7.7 and 1.6.9