Note: You are currently viewing documentation for Moodle 1.9. Up-to-date documentation for the latest stable version is available here: Moodle 1.9 release notes.

Moodle 1.9 release notes

From MoodleDocs

Moodle 1.9

Release date: 3rd March 2008

Here is the full list of fixed issues in 1.9.

Headline features

  • Gradebook - (funded by Open University)
Completely rewritten from scratch for speed and flexibility. The new gradebook consists of plugins for reports, imports and exports. There are a number of standard reports which are useful for graders, students etc. The grader report allows you to treat the gradebook much more like a spreadsheet with manual editing, calculations, aggregations, weighting, locking, hiding, textual notes and so on.
You can also now develop a list of expected outcomes (competencies) and connect these to courses and activities. You can even grade against multiple outcomes at once (ie Rubrics).
The new Events API provides a way for any code to "hook" into events in a clean, loosely coupled way. A lot of events in Moodle (such as adding a user or a course) now trigger events that developers can hook into.
  • Scalability and performance improvements - Catalyst IT Ltd and
A complete overhaul of the Roles implementation for correctness and scalability. Large sites with thousands of courses and users now load quickly and behave well under heavy traffic, thanks to reworked code for Roles. Additional boost for sites using PHP pre-compilers and significant improvements in the database access code for all databases. Many other parts of Moodle have been optimised to cope better with large numbers of courses and students. Overall performance is very noticeably increased.
Moodle 1.9 and Mahara E-porfolio v0.9 now do transparent Single Sign On - one to one, one to many, many to many. Students can maintain their personal E-portfolios in Mahara.
Allows users to describe their own interests in terms of tags, which creates interest pages around those tags, bringing information together from a variety of sources (Blogs, Flickr, Youtube etc)
Allows questions to be shared by the whole site, a course category, a single course, or be kept private to a single module. More control over who can do what to each question. Improved file management for files linked to by questions. WARNING: previously published question categories upgraded from prior releases will no longer be editable until a suitable role is created and users assigned. For further details see How to let teachers share questions between courses
Detailed notes can be kept about individual users (for example teachers might want to keep and share notes about students in their class).
Administrators can perform bulk user actions, such as the mass deletion of user accounts. Extended features in the bulk user upload script to allow generation of user fields based on templates.
Beautiful and curvy (in all browsers).
  • KSES related XSS security vulnerability fixed

Other major improvements

New support for groupings (groups of groups) which was added briefly and then removed from 1.8.x. Activities and resources may be assigned to particular groupings.
Integrated a reworked version of the NTLM Single Sign On, originally by Dan Marsden.
  • New theme settings
    • Category themes - can now set the theme for a category which will apply to all sub-categories and courses
    • Theme order - new setting $CFG->themeorder which sets the priority of the themes from highest to lowest.
  • Ability to control block visibility with roles
  • Oracle Support - Catalyst Ltd, USQ
Significant enhancements in Oracle support, scalability and performance
  • Numerous admin settings fixes and improvements -
  • More robust block and module uninstalling -
  • cURL is used for component downloading, SOCKS5 proxies and user/password proxy authentication supported, fopen() not used anymore
  • Completed course reset implementation - Shamim Rezaie,
  • Rewritten IP lookup - for lookup used either NetGeo server or local GeoIP database, visualized with static world image or Google Maps -
  • Terms used for each role can be redefined in each course (like before Moodle 1.7)
  • Installer improvement - when upgrading Moodle, a page is displayed showing all modules installed on the site and highlighting any non-compatible contrib modules -
  • Statistics performance improvements and bugfixing -
  • Language translation tool improvements - ability to translate non-standard modules, GUI changes, capabilities support

Module improvements

  • Quiz/Question improvements:
    • Improved question bank, as above.
    • Quizzes now listed on the MyMoodle page. (Implemented by Stephen Bourget and Tim Hunt.)
    • A quiz can now send emails when an attempt is finished - a confirmation to the student, a notification to all teachers, or both. (Implemented by Graham Miller of Web Enhanced Solutions and Tim Hunt.)
    • Third party question types can now implement Moodle XML and other import and export format. (Implemented by Howard Miller.)
    • Gift Import/Export format can now handle Essay and Description question types.
    • Some slight improvements to quiz layout. See MDL-10374 for details. Theme designers please note.
    • Multiple choice questions now show the feedback for all the options to students on the review page after the attempt is over.
  • Forum improvements:
    • Major performance improvements in cron and user interface -
    • Ability to select aggregation type (i.e. sum, max, min, average, or count) for forum ratings. See MDL-3942 for details.

New language packs

Five new language packs (see Translation credits for additional details) and improvements in many other languages.

  • Armenian - Andranik Markosyan
  • Latin - Nicholas Sinnott-Armstrong (GHOP project)
  • Macedonian - Dimitar Talevsk and his team
  • Mongolian - B.Batpurev, I.Mendbayar, G.Khadbaatar, Munkhzul, O.Amartuvshin, Batbayar, B.Uugangerel
  • Tamil Sri Lanka - M A Kaleelur Rahuma

Upgrading issues

If upgrading from 1.6 or later, you must have converted your site to Unicode. See Upgrading to Moodle 1.9 for further information.

Moodle 1.9.1

Release date: 15th May 2008

Here is the full list of fixed issues in 1.9.1.


New language packs

  • Uzbek - Orif N. Ruzimurodov
  • Welsh - Karen Coyle

(See Translation credits for additional details.)

Moodle 1.9.2

Release date: 11th July 2008

Here is the full list of fixed issues in 1.9.2.


  • Compatibility fixes for MSSQL, Oracle and PostgreSQL
  • Improved triggering of core events (though contributed code needs to be updated - see MDL-9983)
  • Email change confirmation and other improvements relating to reducing the risk of spam
  • Forum subscription improvements
  • Setting for deleting not-fully-set-up accounts
  • Quiz report enhancements and bug fixes (see Quiz report enhancements for full list, though most are planned for Moodle 2.0)

Security issues

  • MSA-08-0010: sql injection in HotPot module
  • MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)
  • MSA-08-0014: potential sql injection in events handling code
  • MSA-08-0015: accessible profiles of deleted users
  • MSA-08-0016: Email could be changed in profile without confirmation

Moodle 1.9.3

Release date: 15th October 2008

Here is the full list of fixed issues in 1.9.3.


  • Major SCORM module improvements
    • Passes all SCORM 1.2 Conformance tests
    • Improved Visualisation of SCORM objects
    • New Debug tool
    • Improved handling of AICC objects
    • Better cross-platform compatible javascript
    • Improved the interaction of SCO completion and Gradebook interaction
    • TOC fixes - structure, expand/collapse, and prerequisites
    • Corrected element behaviour for cmi.objectives, cmi.comments_from_learner, cmi.interactions, cmi.launch_data
  • New capabilities: moodle/role:safeoverride, moodle/course:changefullname, moodle/course:changeidnumber and moodle/course:changeshortname
  • New option in HTML settings to allow HTML tags in activity and resource names
  • Improved detection of misconfigured dataroot directory
  • New Manage authentication setting for relaxing email domain restrictions when changing email
  • New Enrolments setting for disabling the email welcome message which users receive when they self-enrol in a course
  • New Internal enrolment setting for disabling the enrolment key hint
  • New Gradebook report setting to show/hide percentages in the user report
  • New statistics setting for specifying the maximum number of days processed in each stats execution
  • Checkbox user profile field
  • Indication for administrators when a site is in Maintenance mode
  • Fix for major groups upgrade problem
  • Fix for Firefox password manager problem
  • Fixes for course category edit and add capabilities problems
  • Multiple choice questions in quizzes. Following feedback, we have reversed the change in Moodle 1.9 that showed students feedback to all option, not just the ones they had selected. (MDL-14643)
  • The regression in 1.9.2 that broke images in quiz questions has been fixed.
  • Starting in October 2008, codes need true 10cc integers. (MDL-16715)

Security issues

  • MSA-08-0019: customised PhpMyAdmin package upgraded to
  • MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files
  • MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS
  • MSA-08-0022: XSS through Wiki page titles
  • MSA-08-0023: CSRF in messaging setting
  • MSA-08-0024: Overriding of frozen values in Moodle forms
  • MSA-08-0025: SQL injection in tags code
  • MSA-08-0026: customised HTML Purifier upgraded to 2.1.5

New language pack

  • Bangla - Razib Mustafiz

(See Translation credits for additional details.)

Moodle 1.9.4

Release date: 28th January 2009

Here is the full list of fixed issues in 1.9.4.


Security issues

  • MSA-09-0001 No way easy to remove pictures of deleted users
  • MSA-09-0002 User pix disclosure
  • MSA-09-0003 Vulnerability in Snoopy 1.2.3
  • MSA-09-0004 XSS vulnerabilities in HTML blocks if "Login as" used
  • MSA-09-0005 Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability
  • MSA-09-0006 Calendar export may allow brute force attacks
  • MSA-09-0007 Missing input validation in logs allows potential XSS attacks
  • MSA-09-0008 CSRF vulnerability in forum code

New language strings file

  • report_security.php

New language pack

  • Kazakh - Калима Туенбаева

(See Translation credits for additional details.)

Known problems and regressions

  • New Security overview report on large sites extremely slow and overloading database server MDL-18040 - update to latest weekly or copy /admin/report/security/* files from latest weekly

Moodle 1.9.5

Release date: May 13th 2009

Here is the full list of fixed issues in 1.9.5.


  • MDL-18083 - Gradebook improvements including tabs navigation option, horizontal scrollbar in grader report, easier editing of categories and items, option to reduce the number of aggregation types and option to allow grades over 100%
  • MDL-17074 - Course default settings in Administration > Courses > Course default settings. Now it's possible to specify some defaults to be applied on interactive course creation. Note this feature is one subset of the more complete defaults available in Moodle 2.0.
  • MDL-17144 - New Spam cleaner report
  • MDL-18468 - New setting in Administration > Miscellaneous > Experimental for checking course backup files for XML errors and splitting into smaller parts for use in the restore process. This will result in improvements to restore robustness and execution times, particularly for medium to large course backups.
  • MDL-18518 - New user profile field - First access
  • MDL-14743 - Help popup link allowing users to switch between English and their own language
  • MDL-11313 - New setting in Administration > Users > Permissions > User policies for allowing users without the assign roles capability to switch roles
  • MDL-18338 - Option to hide groups on user profile pages

Security issues

  • MSA-09-0009 - TeX filter file disclosure
  • MSA-09-0010 - Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers
  • MSA-09-0011 - Glossary, database and forum ratings are not verified after submission
  • MSA-09-0012 - SQL injections when importing outcomes
  • MSA-09-0013 - Customised PhpMyAdmin upgraded to

Known problems and regressions

  • MDL-19266 - Forum posts containing links are not sent on a PHP4 system (fixed in weekly build of 27th May)
  • MDL-19288 - Context and module information caching regressions on large sites. It was reported that it may cause all sorts of bad things to happen. (fixed in weekly build of 27th May)
  • MDL-19227 - Imports of outcomes by CSV were not being completed successfully (fixed in weekly build of 27th May)

Changes in Moodle API

  • MDL-18066: The import_backup_file_silently() has been modified, so it doesn't provide automatic administrator credentials anymore. The (custom) caller functions have the responsibility of doing that. This change only affects to 3rd party code using the function, core doesn't use it at all.

Moodle 1.9.6

Release date: 21st October 2009

Here is the full list of fixed issues in 1.9.6.


Security issues

  • MSA-09-0016 - Email not properly escaped on user edit page
  • MSA-09-0017 - Upgrade code in 1.9 does not escape tags properly
  • MSA-09-0018 - Incorrect escaping when updating first post in a single simple discussion forum type
  • MSA-09-0019 - SQL injection in update_record
  • MSA-09-0020 - Teachers can view students' grades in all courses in the overview report
  • MSA-09-0021 - Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability

New language strings

  • MDL-20371 - publicsitefileswarning3 in moodle.php
  • MDL-19145 - several strings and a new help file. Please check CVS history.

New language packs

  • Marathi - Usha Deo
  • Urdu - Faisal Kaleem

(See Translation credits for additional details.)

Moodle 1.9.7

Release date: 25th November 2009

Important: Upgrading is very highly recommended!

Here is the full list of fixed issues in 1.9.7.


Functional changes

  • To force users to use stronger passwords that are less susceptible to being cracked the password policy is enabled by default in new installs, and switched on when upgrading to 1.9.7.
Admins can review their password policy in Site Administration > Security > Site policies. The default policy requires passwords of at least 8 characters long and containing at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character.
  • After upgrading to 1.9.7, admins will be asked to change their passwords next time they log in (manual or email based self-registration accounts only).
  • To reduce the risk of password theft, a password salt is set in config.php in new installs and for upgrades, admins are sent an email recommending that they do so.
  • Teachers lose permission to include ANY user data in a course backup or restore a course including user data due to new capabilities moodle/backup:userinfo and moodle/restore:userinfo which are not set for the default role of teacher. Sites with custom roles should check permissions carefully. Admins can restore those permissions but are informed of the risks in doing so.
  • Hashed user passwords are no longer saved in backup files containing user data. If a backup is restored to a new site, users will be asked to go through the "forgot my password" routine the first time they log in.
  • Moodle will no longer serve any uploaded Flash files to browsers with old Flash plugins. Admins can set the minimum required Flash player version in Site Administration > Security > HTTP Security.

Security issues

New language pack

  • Dhivehi - Ahmed Shareef, Moosa Ali, Amir Hussein

(See Translation credits for additional details.)

Moodle 1.9.8

Release date: 25th March 2010

Here is the full list of fixed issues in 1.9.8.

Special notes

  • If you are using an unusual authentication mechanism then you may experience problems with sessions, and be unable to log in. If this happens to you, add the following to your config.php to make login work:
$CFG->regenloginsession = false;


Security issues

New language packs

  • Asturian - Xosé Nel Caldevilla Vega
  • Zulu - iCyber E-Learning Solutions

(See Translation credits for additional details.)

Moodle 1.9.9

Release date: 8th June, 2010

Here is the full list of issues fixed in 1.9.9


  • MDL-21218 New gradebook course setting 'Hide totals if they contain hidden items' for controlling whether totals containing hidden grade items are shown to students
  • Some general minor bugs fixed in different areas.

Security issues

Some of these vulnerabilities are potentially serious so we strongly recommend you upgrade.

  • MSA-10-0010 Persistent Cross Site Scripting vulnerability in the MNET access control interface
  • MSA-10-0011 Cross Site Scripting vulnerability in blog/index.php
  • MSA-10-0012 KSES Security Filter Bypassing vulnerability
  • MSA-10-0013 Potential Cross Site Scripting vulnerability in Quiz reports

Moodle 1.9.10

Release date: 25th October 2010

Over 110 issues were fixed in 1.9.10. (click to see them)

Security issues

This release upgrades some of the 3rd-party libraries that we use in Moodle. Keeping your Moodle site up to date is, as usual, highly recommended!

  • MSA-10-0017 XSS vulnerability in YUI 2.4.0 through YUI 2.8.1
  • MSA-10-0016 Multiple phpCAS library vulnerabilities
  • MSA-10-0015 Customised HTML Purifier upgraded to 4.2.0

Also notice there was a security problem in the optional phpMyAdmin module:

Moodle 1.9.11

Release date: 21st February 2011

Here is the full list of issues fixed in 1.9.11


  • MDL-16336 - HTML editor doesn't appear in Google Chrome
  • MDL-22970 - Glossary import displays too many items in recent activity
  • MDL-21001 - Range column no longer displayed
  • MDL-24699 - update_user_record function does not specify mnethostid when updating the user table
  • MDL-14934 - Reports/logs download in Excel format shows wrong time

Security issues

  • MSA-11-0002 Cross-site request forgery vulnerability in RSS block
  • MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete
  • MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information

Moodle 1.9.12

Release date: 10th May, 2011

Here is the full list of issues fixed in 1.9.12


  • MDL-9376 - Q and A forum posts only visible after editing time has expired
  • MDL-4633 - Description field in user profile is no longer a required field

Security issues