The command-line cron implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly interact with IP blocking, which might allow remote attackers to bypass intended IP address restrictions by leveraging a configuration in which IP blocking was disabled to restore cron functionality.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Moodle | Moodle | 2.0.0 (including) | 2.0.0 (including) |
| Moodle | Moodle | 2.0.1 (including) | 2.0.1 (including) |
| Moodle | Moodle | 2.0.2 (including) | 2.0.2 (including) |
| Moodle | Moodle | 2.0.3 (including) | 2.0.3 (including) |
| Moodle | Moodle | 2.0.4 (including) | 2.0.4 (including) |
| Moodle | Moodle | 2.0.5 (including) | 2.0.5 (including) |
| Moodle | Ubuntu | hardy | * |
| Moodle | Ubuntu | lucid | * |
| Moodle | Ubuntu | maverick | * |
| Moodle | Ubuntu | natty | * |
| Moodle | Ubuntu | oneiric | * |
References
- http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=ade30ad3c420ce035a3d68287db701b70e806b3f
- http://moodle.org/mod/forum/discuss.php?d=191761
- https://bugzilla.redhat.com/show_bug.cgi?id=761248
- http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=ade30ad3c420ce035a3d68287db701b70e806b3f
- http://moodle.org/mod/forum/discuss.php?d=191761
- https://bugzilla.redhat.com/show_bug.cgi?id=761248