Moodle 1.8 release notes
Release date: 31st March 2007
Here is the full list of fixed issues in 1.8.
- Accessibility - Moodle.com
- The Moodle interface is now compliant with XHTML Strict 1.0 and major accessibility standards.
- Moodle Network - Catalyst, Richard Wyles
- We can now set up peer Moodle installations allowing users to roam from one site to another, using comprehensive SSO and transparent remote enrolments. Administrators at the originating Moodle install can see logs of remote activity. You can also run your Moodle in "Hub" mode where any Moodle install can connect and users roam across.
- Web Services API - Catalyst, Richard Wyles
- The Moodle Network code includes an XML-RPC call dispatcher that can expose the WHOLE Moodle API to trusted hosts. We will building on this in further versions but you can start using it now if you need to.
- Moodle forms library - Moodle.com
- Majority of forms now use a single API for defining forms consistently and collecting data safely without using any HTML at all.
- Multi Authentication - Iñaki Arenaza / Catalyst / Moodle.com
- It is now easier to configure multiple sources of authentication at once. WARNING: the format for authentication plugins has changed, so custom plugins may be broken, however it's very easy to convert old code to the new format. More details can be found in /auth/README.txt.
- Customisable User Profiles - Pukunui Technology
- Allow new arbitrary fields to be added to the user profile, with more control over what fields appear on what signup and profile editing screens.
- Groups refactor - OU / Moodle.com
- Groups code has been reorganised to make it more flexible for the future (see 1.9).
- Roles improvements - Moodle.com
- In addition to many Roles fixes and refinements, Moodle 1.8 has separated the SYSTEM context from the SITE context (which makes it more like 1.6 used to work). The SITE context is the "front page course" and its activities. This should make it easier for admins to set up permissions. Login as and switching of roles was rewritten. Administrators can view recommended permission settings of legacy roles and may reset legacy roles to defaults.
- Support for ODS export - Moodle.com
- Open Document Format should solve majority of current problems with exports into proprietary Excel format. You may need to install special import plugin if you are using MS Office.
- CAS auth not working
- Authorize.net Payment Gateway enrolment plugin
- Payment managers can obtain an authorization code over phone from customer's bank if the credit card of the user cannot be captured on the internet directly.
Release date: 14th June 2007
- The groups implementation has been cleaned up somewhat from the 1.8 release. The groupings GUI that appeared in 1.8 has been removed, because groupings are not complete and should not be used yet. Moodle 1.8 sites that have created groupings should upgrade to 1.8.1 to have groupings reset ... otherwise there could be problem when upgrading to the real groupings in 1.9 or later.
Release date: 8th July 2007
- Two XSS security vulnerabilities (one reported in the wild) were fixed.
Release date: 11th October 2007
- Some crucial performance fixes
- Many little annoying bugs squashed
Release date: 11 January 2008
Release date: 8th April 2008
- KSES related XSS security vulnerability fixed
Release date: 11th July 2008
- Watch the Moodle security page
Release date: 15th October 2008
- MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files
- MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS
- MSA-08-0022: XSS through Wiki page titles
- MSA-08-0023: CSRF in messaging setting
- MSA-08-0024: Overriding of frozen values in Moodle forms
Release date: 28th January 2009
- MDL-10021 New option, "Yes, without frame", for the file resource "Keep page navigation visible on the same page" setting. This option displays a resource in a XHTML strict page. Other options have been kept.
- MDL-16999 Some database module settings have been fixed ('Required Entries' and ' Required Entries before viewing). If the fix has an impact on your Moodle installation, you will be warned during upgrade.
Release date: 15th May 2009
- MSA-09-0009 - TeX filter file disclosure
- MSA-09-0010 - Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers
- MSA-09-0011 - Glossary, database and forum ratings are not verified after submission
- MSA-09-0013 - Customised PhpMyAdmin upgraded to 126.96.36.199
Known problems and regressions
- MDL-19266 - Forum posts containing links are not sent on a PHP4 system (fixed in weekly build of 27th May)
Release date: 26th October 2009
- MSA-09-0018 - Incorrect escaping when updating first post in a single simple discussion forum type
- MSA-09-0019 - SQL injection in update_record
Release date: 25th November 2009
Important: Upgrading is very highly recommended!
- After upgrading, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
- To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
- Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully.
- Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
- In Moodle 1.8.11+ weekly from 23/12/09 onwards: Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in Site Administration > Security > HTTP Security.
- MSA-09-0022 - Multiple CSRF problems fixed
- MSA-09-0023 - Fixed user account disclosure in LAMS module
- MSA-09-0024 - Fixed insufficient access control in Glossary module
- MSA-09-0025 - Unneeded MD5 hashes removed from user table
- MSA-09-0026 - Fixed invalid application access control in MNET interface
- MSA-09-0027 - Ensured login information is always sent secured when using SSL for logins
- MSA-09-0028 - Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data
- MSA-09-0029 - Enabling a password salt in encouraged in config.php and admins are forced to change password after the upgrade
- MSA-09-0031 - Fixed SQL injection in SCORM module
- In Moodle 1.8.11+ weekly from 23/12/09 onwards: MSA-09-0030 - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins
Release date: 27th March 2010
None, just bug fixes
- MSA-10-0001 Vulnerability in KSES text cleaning
- MSA-10-0002 XSS vulnerabilty in the phpcas module
- MSA-10-0003 Disclosure of full user names
- MSA-10-0005 Incorrect validation of forms data
- MSA-10-0006 SQL injection in Wiki module
- MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine
- MSA-10-0008 Persistent XSS when using Login-as feature
- MSA-10-0009 Session fixation prevention now turned on by default
Release date: 8th June 2010
None, just bug fixes.
Some of these vulnerabilities are potentially serious so we strongly recommend you upgrade.
- MSA-10-0010 Persistent Cross Site Scripting vulnerability in the MNET access control interface
- MSA-10-0011 Cross Site Scripting vulnerability in blog/index.php
- MSA-10-0012 KSES Security Filter Bypassing vulnerability
- MSA-10-0013 Potential Cross Site Scripting vulnerability in Quiz reports
Release date: 3rd December, 2010
- MSA-10-0016 Multiple phpCAS library vulnerabilities
Also notice there was a security problem in the optional phpMyAdmin module:
- MSA-10-0014 Customised phpMyAdmin upgraded to 2.11.11
Note: This is the last formal release of the 1.8 branch. Support for this branch has been discontinued. We highly recommend you upgrade!