Talk:Security: Difference between revisions
From MoodleDocs
(reported) |
Helen Foster (talk | contribs) (page protected, formatting) |
||
| Line 1: | Line 1: | ||
Should this page deal with valid users as well? I'm talking about input sanitization, etc. For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post. I suggest taking a look at MediaWiki's approach to code sanitizing. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 12:45, 11 February 2006 (WST) | Should this page deal with valid users as well? I'm talking about input sanitization, etc. For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post. I suggest taking a look at MediaWiki's approach to code sanitizing. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 12:45, 11 February 2006 (WST) | ||
Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. [[User:Moorejon|Moorejon]] Jonathan Moore 8:46, 12 February 2006 (CST) | :Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. [[User:Moorejon|Moorejon]] Jonathan Moore 8:46, 12 February 2006 (CST) | ||
Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: http://moodle.org/mod/forum/discuss.php?d=39404#182024 - [[User:Davidds|David Delgado]] 02:11, 13 February 2006 (WST) | |||
I have updated the file permissions, with what I hope are more correct values. [[User:Moorejon|Moorejon]] Jonathan Moore 10:52, 14 February 2006 (CST) | |||
== Security for Security page == | |||
Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page. | |||
:I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to safe@cracker.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, [[User:Moorejon|Moorejon]]? :-/ - [[User:Davidds|David Delgado]] 16:44, 13 February 2006 (WST) | :I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to safe@cracker.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, [[User:Moorejon|Moorejon]]? :-/ - [[User:Davidds|David Delgado]] 16:44, 13 February 2006 (WST) | ||
I have reported it in full detail at the security.moodle.org site. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 09:29, 16 February 2006 (WST) | ::I have reported it in full detail at the security.moodle.org site. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 09:29, 16 February 2006 (WST) | ||
:::I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such. | |||
:::Since I am not a member of security.moodle.org, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide. | |||
::::Page protected, as requested. Please use this page for suggesting changes to [[Security]]. --[[User:Helen|Helen]] 19:06, 16 February 2006 (WST) | |||
==Running Moodle with PHP safe_mode=on== | |||
I | Does any security guru dare to document that? I think it is possible to do that (both to run Moodle with safe_mode=on and to write the document). ;-) | ||
Revision as of 11:06, 16 February 2006
Should this page deal with valid users as well? I'm talking about input sanitization, etc. For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post. I suggest taking a look at MediaWiki's approach to code sanitizing. -- Tim McCormack is talk 12:45, 11 February 2006 (WST)
- Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. Jonathan Moore Jonathan Moore 8:46, 12 February 2006 (CST)
Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: http://moodle.org/mod/forum/discuss.php?d=39404#182024 - David Delgado 02:11, 13 February 2006 (WST)
I have updated the file permissions, with what I hope are more correct values. Jonathan Moore Jonathan Moore 10:52, 14 February 2006 (CST)
Security for Security page
Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page.
- I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to safe@cracker.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, Jonathan Moore? :-/ - David Delgado 16:44, 13 February 2006 (WST)
- I have reported it in full detail at the security.moodle.org site. -- Tim McCormack is talk 09:29, 16 February 2006 (WST)
- I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such.
- Since I am not a member of security.moodle.org, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide.
- Page protected, as requested. Please use this page for suggesting changes to Security. --Helen Foster 19:06, 16 February 2006 (WST)
Running Moodle with PHP safe_mode=on
Does any security guru dare to document that? I think it is possible to do that (both to run Moodle with safe_mode=on and to write the document). ;-)
