Affects Version/s: 1.5
Fix Version/s: None
A moodle site that accepts enrolments with mail confirmation, is open to be used as a spam relay.
The procedure is this:
Make a script that creates accounts. There is no turing-like test in signing up to verify it is a human doing it, so 1000 signups could be done in a couple of minutes.
One does not have to have control over a domain to send the confirmation emails to, there are plenty services out there that provide temporary email adresses. A catchal addres works too, but its own domain works best.
Next each account is verified, if you have your own domain you could automate this with procmail and wget easily.
Then the account is subscribed to a forum where the evil spammer can posts his messages. No turing here, so again simply automatable. (you will need soome trickery with cookies, but you can do it in one go with the account confirmation)
The next step is to change the email adres of the account into that of the victim. moodle will allow this without reconfirming the email adres.
The last step is the spammer posting it's evil sales pitches on the forum, complete with hyperlinks, html and spyware infested 'movie' named after a naked celebrity or whathaveyou.
In Ohter words: Moodle needs a turing test (you know, one of those pictures containing random letters and lines) at the subscription point.
It also needs to reconfirm a new eamil adres when it is changed.