+ Post New Thread
Results 1 to 7 of 7
Virtual Learning Platforms Thread, Moodle 1.9 security holes - Help to seal them. in Technical; Hi It has recently come to our attention that our moodle installation is not as secure as it could be. ...
  1. #1

    Join Date
    May 2011
    Location
    United Kingdom
    Posts
    440
    Thank Post
    112
    Thanked 13 Times in 13 Posts
    Rep Power
    8

    Moodle 1.9 security holes - Help to seal them.

    Hi

    It has recently come to our attention that our moodle installation is not as secure as it could be.

    We have realised that XSS (Cross site scripting) can be run on our moodle install by typin code into the ilp text boxes and saving it. Detailed here on moodle.org

    What i need is to know what we can do to stop it. Anyone have any good advice or easy to follow instructions on how we can disable it?

    I also want to be able to restrict what file types the users can upload to moodle. Is there a way to just have a white list of accepted file types and block everything else?

    Thanks

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,656
    Thank Post
    324
    Thanked 506 Times in 474 Posts
    Rep Power
    177
    Well in terms of generic security, the big one is upgrade moodle.

    Whether you're upgrading to the latest version 2.4 now? or wanting to keep the old one upgrade to the lastest "patched" version of it. (Moodle 1.9.19+)

    In terms of stopping it by terms of coding the link you gave above explains it pretty well, If you want full protection you need to limit/scan a lot, basically every input that's possible will need checking. Basically anytime someone inputs a value, it'll be checked for "mainly" special chars, like \<> etc, and they'll be stripped from the input, Thus making the script unusable. However, you can still get around that by using things like the ascii values for chars etc etc, depends how far you want to go into escaping special chars?

    Steve

  3. #3

    Join Date
    May 2011
    Location
    United Kingdom
    Posts
    440
    Thank Post
    112
    Thanked 13 Times in 13 Posts
    Rep Power
    8
    Quote Originally Posted by Steve21 View Post
    Well in terms of generic security, the big one is upgrade moodle.

    Whether you're upgrading to the latest version 2.4 now? or wanting to keep the old one upgrade to the lastest "patched" version of it. (Moodle 1.9.19+)

    In terms of stopping it by terms of coding the link you gave above explains it pretty well, If you want full protection you need to limit/scan a lot, basically every input that's possible will need checking. Basically anytime someone inputs a value, it'll be checked for "mainly" special chars, like \<> etc, and they'll be stripped from the input, Thus making the script unusable. However, you can still get around that by using things like the ascii values for chars etc etc, depends how far you want to go into escaping special chars?

    Steve
    We are currently trailing moodle 2.3 with a view to upgrading. Testing blocks etc and producing some training docs for staff.

    I kind of understand what the document sys but its where you make the changes and what code you need to put in that I'm a little lost with.

    Cheers

  4. #4

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,392
    Thank Post
    797
    Thanked 1,588 Times in 1,391 Posts
    Blog Entries
    10
    Rep Power
    427
    @Steve21 2.4 isn't stable and is still in Beta
    @tj2419 If you want to upgrade to 2.3 you can't do it directly from 1.9 you need to upgrade to 2.2 or 2.1 first.

    Version 1.9 hasn't been supported for a while now, ideally you should upgrade software like this before support ends.

  5. #5


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,657
    Thank Post
    350
    Thanked 789 Times in 710 Posts
    Rep Power
    344
    2.4 is stable (According to the moodle.org website)

    1.9.19+ is supported for security fixes only (according to the moodle.org website).

  6. #6

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,656
    Thank Post
    324
    Thanked 506 Times in 474 Posts
    Rep Power
    177
    Quote Originally Posted by FN-GM View Post
    @Steve21 2.4 isn't stable and is still in Beta
    @tj2419 If you want to upgrade to 2.3 you can't do it directly from 1.9 you need to upgrade to 2.2 or 2.1 first.

    Version 1.9 hasn't been supported for a while now, ideally you should upgrade software like this before support ends.
    Not tried it, but according to their website it is?

    Current stable builds
    Moodle 2.4+
    MOODLE_24_STABLE


    Quote Originally Posted by tj2419 View Post
    We are currently trailing moodle 2.3 with a view to upgrading. Testing blocks etc and producing some training docs for staff.

    I kind of understand what the document sys but its where you make the changes and what code you need to put in that I'm a little lost with.

    Cheers
    Basically on every input area (Unless you're using a built-in addon etc). Example:

    "SearchBox" I search for "<HAX>AMGFormatDB</HAX>" As you haven't stripped anything, your search script will either run that on a database or execute something etc.

    You'd need to change the "SearchBox" query to do something like:
    NewSTring = Strip <> out of String
    Search for NewString

    etc etc

    THere should be builtin commands in moodle that do most of the work for you (at least in newer versions) Example here: Slashes - MoodleDocs

    It'll cancel out any potentially "executable" stuff before it writes it to database etc.

    But obviously this needs to be done for any potential inputs/outputs etc etc if you're doing it manually.

    Steve

  7. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,392
    Thank Post
    797
    Thanked 1,588 Times in 1,391 Posts
    Blog Entries
    10
    Rep Power
    427
    @Steve21 sorry about that. It wasn't stable 7 days ago, its only just come to stable release in the last week.

SHARE:
+ Post New Thread

Similar Threads

  1. Help Function Security hole?
    By Ben-BSH in forum Windows
    Replies: 3
    Last Post: 3rd February 2010, 12:32 PM
  2. Help Plugging A Security Hole
    By luketheduck in forum Windows
    Replies: 6
    Last Post: 14th November 2007, 03:27 PM
  3. Need help to finsih script?
    By tosca925 in forum Scripts
    Replies: 1
    Last Post: 1st November 2006, 11:08 PM
  4. Please pay for our security holes.
    By Dos_Box in forum IT News
    Replies: 2
    Last Post: 1st June 2006, 03:19 PM
  5. Replies: 10
    Last Post: 29th March 2006, 02:52 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •