Today our security expert Petr Skoda discovered a potential problem with one of the hidden utilityscripts in Moodle that could allow a malicious user within your site toforce an admin to unknowingly delete ALL course files.
This bug has been fixed in the CVS versions of the Moodle 1.4 branchand the main CVS trunk (the soon to be released Moodle 1.5 Beta).The download packages are also being re-created.
Since this script is not something many people need anyway, the quickest fix is simply to delete it completely from your installation.
So do that right now! The file to remove is: admin/delete.php