Moodle Doesn’t Yet Actually Require MySQL 8.0

We were recently working on an upgrade of a Moodle website to version 4.3, which originally started as an upgrade to Moodle 4.2. We ran into an issue because those versions require that those using the MySQL database server to be using at least version 8.0. That is up from the previous requirement of at least version 5.7. The web host for the website hadn’t yet moved to that version, so we were at an apparent impasse.

Checking further into this, we found that, while the required MySQL version was raised in the Moodle 4.2. That version doesn’t appear to actually be required. The discussion on raising the required version can be found here. The change wasn’t made because of usage of new features of MySQL 8.0, but because support for MySQL 5.7 was going to be ending soon.

In line with that, there were no problems with the website after upgrading to Moodle 4.2 or 4.3 caused by the usage of the older version of MySQL.

Getting through Moodle’s pre-upgrade checks did require manually changing the required version of MySQL in the file /admin/environment.xml.

Latest Versions of Moodle Contain Publicly Disclosed Authenticated SQL Injection and XSS Vulnerabilities

A week ago an authenticated SQL injection vulnerability and a cross-site scripting (XSS) vulnerability that exist in the latest version of Moodle was publicly disclosed. The post that was done in makes no mention of notifying the Moodle developers about the issue.

The vulnerabilities received more exposure in a article on a news outlet owned by the security company PortSwigger yesterday. Curiously, especially considering the owner of the news outlet, the post doesn’t address why the vulnerabilities appear to have been full disclosed, instead of being reported to developer first. That article does say that the author of it contacted Moodle:

The Daily Swig has reached out to Moodle to learn more and will update this article accordingly.

(That article also inaccurately states that the “bug appears to have been reported in a GitHub post from 2013”, when according the original post, that was when the vulnerabilities were introduced, not reported.)

So far the post hasn’t been updated with a response from Moodle.

We confirmed that the claims made about the authenticated SQL injection vulnerability and cross-site scripting (XSS) vulnerability are true with the most recent version of Moodle, 3.11.5. Based on when the vulnerabilities were introduced in to the code, they should also exist in the latest version of previous versions of Moodle that still receive security updates, 3.10.9 and 3.9.12.

To exploit this the attacker would need to be logged in to Moodle and be assigned to be a teacher of a course. The SQL injection vulnerability could be exploited to read the contents of Moodle’s database and the XSS vulnerability to cause malicious JavaScript code to be shown one pages on the website.

We contacted Moodle’s security team yesterday to make sure they were aware of this.

While we don’t know why the discloser appears not to have notified them, we found that the form they provide for reporting security issues problematic and could turn people away from reporting issue to them. As one example of that, the form includes several hard to understand items. Including one wanting to the know “Target”:

With the two options provided being “bugcrowd.moodle.com (testing site)” and “Other”. We are really in contact with developers about security issues in their software and we are not sure what that is supposed to refer to.

At the end of their form is a quite strange item for someone simply trying to report a security issue, you have agree to terms and conditions of a company named Bugcrowd:

It isn’t explained why you should be need to do that or why that third-party should be involved in trying to address something with Moodle.

We noted those issues when we notified Moodle and hopefully they will get things improved, so that people are more likely to report issues to them first instead of publicly disclosing them.

If you have a Moodle website that has been hacked, we offer a service to help address that.

Your Courses Will Remain After Upgrading Moodle

One common misconception that we don’t quite understand, but comes up often when we are contacted about possibly doing upgrades of software on websites, is a belief that after an upgrade the content of the website will not be there anymore and need to be transferred back to it. We are not sure where that would come from, since if that would be the case there wouldn’t be a reason for doing upgrades, since you could cut out a step and just do a new install of the software and do a transfer, if that was the case. (If an “upgrade” required that, it would actually be a migration, not an upgrade.)

Because it specifically came up recently, we wanted to make it clear to a wider audience that upgrading Moodle will not cause courses or other content to go missing and need to be restored. That being said when we do upgrades of Moodle we first do a test of the upgrade to insure that nothing goes wrong during the upgrade process and everything will work with the new version of Moodle, since a real concern is that there might be an incompatibility between the new version of Moodle and, say, the hosting environment the website is hosted on.

We offer both one time Moodle upgrades and ongoing upgrades on a subscription basis.

Upgrading Moodle Resolves the “reCAPTCHA V1 IS SHUTDOWN” Error

Often times when we are contacted about upgrading software on websites it is due to an assumption that doing that will resolve some error or other problem occurring with the website. In a lot of those cases doing an upgrade will not resolve the issue as it has no connection to the version of the software in use. That would be a good reason for people to not try to self diagnose issues with their websites instead of bringing in someone that has more expertise, as they could end up spending a lot of money on an upgrade and not being any closer to having the problem resolved while the real issue can sometimes very easily be resolved if someone that knows what they are doing is handling things.

A recent exception to this situation is with Moodle websites that use its built-in support for Google’s reCAPTCHA service. Support for the v1 API of reCAPTCHA ended in March. When Moodle websites running older versions of Moodle are set to use the reCAPTCHA feature now they will show the following error message:

For those currently running versions 3.1-3.4 of Moodle the solution is to do a minor upgrade as support for the v2 API was added in 3.1.11, 3.2.8, 3.3.5, and 3.4.2. For those running older versions those releases are no longer supported, so you will need to upgrade to a supported release. That would have been a good idea to do some time ago anyway considering that the previous version, 3.0, stop receiving security updates just over year ago.

We offer both one time upgrades of Moodle as well as upgrades on a subscription basis.

InMotion Hosting Prominently Promoting Installation of EOL’d Joomla Version

When it comes to keeping websites secure, keeping the software on them up to date is one of the basic measures that needs to be taken. We know that web hosts are aware of this because they will often tell people when their websites have been hacked that it was due to outdated software (since this usually isn’t based on any actually evidence, it often is wrong). Unfortunately we continue to find that web hosts don’t bother to make sure that they are not distributing outdated software to their customers.

Recently while doing some work on a web site hosted with InMotion Hosting, we noticed that in the website’s cPanel control panel that the option to install Joomla 2.5 was being prominently displayed:

inmotion-hosting-cpanel-joomla-25

That should not be happening since support for Joomla 2.5 ended back on December 31. Not only does that put websites at risk if a security issues is found in Joomla 2.5, but it can cause unnecessary trouble down the road because upgrading from Joomla 2.5 to 3.x is not always the one-click upgrade it is a promoted as.

On the installation page they do provide the option to install the currently supported version of Joomla, 3.4.1, as well. But you would have to select that version from a drop down box:

inmotion-hosting-joomla-25-installation-page

The problems don’t stop there. On the main page for their software installing service the ninth slot is Moodle 2.0:

inmotion-hosting-top-applications

Support for Moodle 2.0 ended nearly three years ago, in June 2012.

As with Joomla, they do also offer supported versions, but you would have to select those from a dropdown where 2.0 is the default:

inmotion-hosting-moodle-20-installation-page

Installing this version now will lead to otherwise unnecessary work down the road because Moodle will have to be upgraded to version 2.2 before it can be upgraded to a version 2.3 of higher.

DreamHost’s Failure to Keep MySQL Updated Blocks Use of Latest Moodle Version

When it comes to the security of websites, keeping the software running them up to date is an important. While web hosts make a point of emphasizing the need to keep the user added software up to date, up to point of often incorrectly jumping to the conclusion that a website must have been hacked due to outdated software, they often fail to their part by keeping the software running the server up to date. In the case of DreamHost, this now not only means that their servers are not properly secured, but also that recent software can’t be used.

The latest version of Moodle, 2.7, requires at least version 5.5.31 of MySQL. This shouldn’t be a problem as MySQL 5.5 is currently the oldest series supported and version 5.5.31 was released 16 months ago. Unfortunately, while we preparing to do a Moodle upgrade for a client hosted with DreamHost we found that they are still on version 5.1.56. Our client contacted them about this and didn’t get any movement on getting this updated. They were not first, as the issue was brought up in May on a thread on DreamHost forum requesting that MySQL be updated. A DreamHost representative replied in the thread before and after that so they should have be aware that it was mentioned.

While the inability to use the latest version of Moodle is of concern, the larger issue is just how out of date DreamHost leaves the software running on their servers. Support for MySQL 5.1 ended at the end of last year, so they have been running an unsupported version for eight months. If they needed to stick to MySQL 5.1 for some reason, then you would expect that would be running the last version of 5.1, but there not. Instead they are running a version that is over three years out of date (5.1.57 was released in May of 2011) and they didn’t update after either of two subsequent releases with security updates were put out (5.1.62 and 5.1.63).

Outdated Software Running on Websites of WordPress and Other Web Software

When the makers of web software talk about security they always emphasize the importance of keeping software updated. One of the developers of WordPress said it this way “The only thing that I can promise will keep your blog secure today and in the future is upgrading.” Keeping software updated is good advice, but isn’t advice that the software makers, including WordPress, always follow themselves.

We recently mentioned a pretty egregious example of this from OpenX. Their blog, where they recently said it is critical to keep software up to date, is running a version of WordPress that is over three years out of date. Also, the main portion of their website appears to be running a version of Drupal that is over a year out of date.

MediaWiki, the software the powers the Wikipedia, is run on portions of many web software websites so we decided that it would be a good choice to see if software makers are keeping other people’s software running on their website up to date. There are several ways to check what version of MediaWiki is running and the easiest way to check for outdated MediaWiki installations is to use our Meta Generator Version Check web browser extension, available for Firefox and Chrome. The extension will show a warning icon when a web page has a meta generator tag from an outdated version of web software.

For those not familiar with MediaWiki they currently provide security updates for the two most recent releases 1.17.x and 1.18.x. The most recent version of those releases 1.17.2 and 1.18.1, both of which were released on January 11. We update our web browser extension a month after a new version is released, so until then it will check for MediaiWiki versions below 1.17.1.

Before mentioning the websites running outdated versions it is worth noting that one website we checked was actually up to date. TYPO3’s TYPO3Wiki is running 1.18.1.

WordPress

WordPress MediaWiki Version

The WordPress Codex is the most out of date as it is running 1.15.5, which is two supported releases out of date. Support for 1.15.x ended in December of 2010.

Zen Cart

Zen Cart MediaWiki Version

The Zen Cart Wiki is one supported release out of date and running a version, 1.16.2, that that is three minor updates out of date. Support for 1.16.x ended in late November of last year.

Joomla

Joomla MediaWiki Version

Joomla! Documentation is one supported release out of date and running a version, 1.16.4, that that is one minor update out of date.

phpBB

phpBB MediaWiki Version

The phpBB Development Wiki is at least running the most recent version of 1.16.x, 1.16.5, but that release is no longer supported.

Moodle

Moodle MediaWiki Version

MoodleDocs is at least running a supported release, 1.17.x, but the version, 1.17.0, is two minor updates out of date.