+ Post New Thread
Results 1 to 7 of 7
Virtual Learning Platforms Thread, Moodle 1.9 security holes - Help to seal them. in Technical; Hi It has recently come to our attention that our moodle installation is not as secure as it could be. ...
  1. #1

    Join Date
    May 2011
    Location
    United Kingdom
    Posts
    551
    Thank Post
    134
    Thanked 19 Times in 19 Posts
    Rep Power
    12

    Moodle 1.9 security holes - Help to seal them.

    Hi

    It has recently come to our attention that our moodle installation is not as secure as it could be.

    We have realised that XSS (Cross site scripting) can be run on our moodle install by typin code into the ilp text boxes and saving it. Detailed here on moodle.org

    What i need is to know what we can do to stop it. Anyone have any good advice or easy to follow instructions on how we can disable it?

    I also want to be able to restrict what file types the users can upload to moodle. Is there a way to just have a white list of accepted file types and block everything else?

    Thanks

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,762
    Thank Post
    354
    Thanked 533 Times in 498 Posts
    Rep Power
    182
    Well in terms of generic security, the big one is upgrade moodle.

    Whether you're upgrading to the latest version 2.4 now? or wanting to keep the old one upgrade to the lastest "patched" version of it. (Moodle 1.9.19+)

    In terms of stopping it by terms of coding the link you gave above explains it pretty well, If you want full protection you need to limit/scan a lot, basically every input that's possible will need checking. Basically anytime someone inputs a value, it'll be checked for "mainly" special chars, like \<> etc, and they'll be stripped from the input, Thus making the script unusable. However, you can still get around that by using things like the ascii values for chars etc etc, depends how far you want to go into escaping special chars?

    Steve

  3. #3

    Join Date
    May 2011
    Location
    United Kingdom
    Posts
    551
    Thank Post
    134
    Thanked 19 Times in 19 Posts
    Rep Power
    12
    Quote Originally Posted by Steve21 View Post
    Well in terms of generic security, the big one is upgrade moodle.

    Whether you're upgrading to the latest version 2.4 now? or wanting to keep the old one upgrade to the lastest "patched" version of it. (Moodle 1.9.19+)

    In terms of stopping it by terms of coding the link you gave above explains it pretty well, If you want full protection you need to limit/scan a lot, basically every input that's possible will need checking. Basically anytime someone inputs a value, it'll be checked for "mainly" special chars, like \<> etc, and they'll be stripped from the input, Thus making the script unusable. However, you can still get around that by using things like the ascii values for chars etc etc, depends how far you want to go into escaping special chars?

    Steve
    We are currently trailing moodle 2.3 with a view to upgrading. Testing blocks etc and producing some training docs for staff.

    I kind of understand what the document sys but its where you make the changes and what code you need to put in that I'm a little lost with.

    Cheers

  4. #4

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,315
    Thank Post
    901
    Thanked 1,798 Times in 1,549 Posts
    Blog Entries
    12
    Rep Power
    466
    @Steve21 2.4 isn't stable and is still in Beta
    @tj2419 If you want to upgrade to 2.3 you can't do it directly from 1.9 you need to upgrade to 2.2 or 2.1 first.

    Version 1.9 hasn't been supported for a while now, ideally you should upgrade software like this before support ends.

  5. #5


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,701
    Thank Post
    352
    Thanked 805 Times in 720 Posts
    Rep Power
    348
    2.4 is stable (According to the moodle.org website)

    1.9.19+ is supported for security fixes only (according to the moodle.org website).

  6. #6

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,762
    Thank Post
    354
    Thanked 533 Times in 498 Posts
    Rep Power
    182
    Quote Originally Posted by FN-GM View Post
    @Steve21 2.4 isn't stable and is still in Beta
    @tj2419 If you want to upgrade to 2.3 you can't do it directly from 1.9 you need to upgrade to 2.2 or 2.1 first.

    Version 1.9 hasn't been supported for a while now, ideally you should upgrade software like this before support ends.
    Not tried it, but according to their website it is?

    Current stable builds
    Moodle 2.4+
    MOODLE_24_STABLE


    Quote Originally Posted by tj2419 View Post
    We are currently trailing moodle 2.3 with a view to upgrading. Testing blocks etc and producing some training docs for staff.

    I kind of understand what the document sys but its where you make the changes and what code you need to put in that I'm a little lost with.

    Cheers
    Basically on every input area (Unless you're using a built-in addon etc). Example:

    "SearchBox" I search for "<HAX>AMGFormatDB</HAX>" As you haven't stripped anything, your search script will either run that on a database or execute something etc.

    You'd need to change the "SearchBox" query to do something like:
    NewSTring = Strip <> out of String
    Search for NewString

    etc etc

    THere should be builtin commands in moodle that do most of the work for you (at least in newer versions) Example here: Slashes - MoodleDocs

    It'll cancel out any potentially "executable" stuff before it writes it to database etc.

    But obviously this needs to be done for any potential inputs/outputs etc etc if you're doing it manually.

    Steve

  7. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,315
    Thank Post
    901
    Thanked 1,798 Times in 1,549 Posts
    Blog Entries
    12
    Rep Power
    466
    @Steve21 sorry about that. It wasn't stable 7 days ago, its only just come to stable release in the last week.



SHARE:
+ Post New Thread

Similar Threads

  1. Help Function Security hole?
    By Ben-BSH in forum Windows
    Replies: 3
    Last Post: 3rd February 2010, 01:32 PM
  2. Help Plugging A Security Hole
    By luketheduck in forum Windows
    Replies: 6
    Last Post: 14th November 2007, 04:27 PM
  3. Need help to finsih script?
    By tosca925 in forum Scripts
    Replies: 1
    Last Post: 2nd November 2006, 12:08 AM
  4. Please pay for our security holes.
    By Dos_Box in forum IT News
    Replies: 2
    Last Post: 1st June 2006, 04:19 PM
  5. Replies: 10
    Last Post: 29th March 2006, 03:52 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •