Difference between revisions of "Talk:Security"

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 1.9. Up-to-date documentation for the latest stable version is available here: Security.

(reported)
(page protected, formatting)
Line 1: Line 1:
 
Should this page deal with valid users as well?  I'm talking about input sanitization, etc.  For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post.  I suggest taking a look at MediaWiki's approach to code sanitizing. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 12:45, 11 February 2006 (WST)
 
Should this page deal with valid users as well?  I'm talking about input sanitization, etc.  For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post.  I suggest taking a look at MediaWiki's approach to code sanitizing. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 12:45, 11 February 2006 (WST)
  
Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. [[User:Moorejon|Moorejon]] Jonathan Moore 8:46, 12 February 2006 (CST)
+
:Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. [[User:Moorejon|Moorejon]] Jonathan Moore 8:46, 12 February 2006 (CST)
  
:Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: http://moodle.org/mod/forum/discuss.php?d=39404#182024 - [[User:Davidds|David Delgado]] 02:11, 13 February 2006 (WST)
+
Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: http://moodle.org/mod/forum/discuss.php?d=39404#182024 - [[User:Davidds|David Delgado]] 02:11, 13 February 2006 (WST)
  
<p class="note">Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page.</p>
+
I have updated the file permissions, with what I hope are more correct values.  [[User:Moorejon|Moorejon]] Jonathan Moore 10:52, 14 February 2006 (CST)
 +
 
 +
== Security for Security page ==
 +
 
 +
Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page.
  
 
:I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to safe@cracker.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, [[User:Moorejon|Moorejon]]? :-/ - [[User:Davidds|David Delgado]] 16:44, 13 February 2006 (WST)
 
:I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to safe@cracker.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, [[User:Moorejon|Moorejon]]? :-/ - [[User:Davidds|David Delgado]] 16:44, 13 February 2006 (WST)
  
I have reported it in full detail at the security.moodle.org site. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 09:29, 16 February 2006 (WST)
+
::I have reported it in full detail at the security.moodle.org site. -- [[User:Phyzome|Phyzome]] is [[User talk:Phyzome|Tim McCormack]] 09:29, 16 February 2006 (WST)
  
== Security for Security page ==
+
:::I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such.
 +
 
 +
:::Since I am not a member of security.moodle.org, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide.
  
I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such.
+
::::Page protected, as requested. Please use this page for suggesting changes to [[Security]]. --[[User:Helen|Helen]] 19:06, 16 February 2006 (WST)
  
Since I am not a member of security.moodle.org, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide.
+
==Running Moodle with PHP safe_mode=on==
  
I have updated the file permissions, with what I hope are more correct values. [[User:Moorejon|Moorejon]] Jonathan Moore 10:52, 14 February 2006 (CST)
+
Does any security guru dare to document that? I think it is possible to do that (both to run Moodle with safe_mode=on and to write the document). ;-)

Revision as of 11:06, 16 February 2006

Should this page deal with valid users as well? I'm talking about input sanitization, etc. For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post. I suggest taking a look at MediaWiki's approach to code sanitizing. -- Tim McCormack is Tim McCormack 12:45, 11 February 2006 (WST)

Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. Jonathan Moore Jonathan Moore 8:46, 12 February 2006 (CST)

Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: http://moodle.org/mod/forum/discuss.php?d=39404#182024 - David Delgado 02:11, 13 February 2006 (WST)

I have updated the file permissions, with what I hope are more correct values. Moorejon Jonathan Moore 10:52, 14 February 2006 (CST)

Security for Security page

Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page.

I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to safe@cracker.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, Moorejon? :-/ - David Delgado 16:44, 13 February 2006 (WST)
I have reported it in full detail at the security.moodle.org site. -- Phyzome is Tim McCormack 09:29, 16 February 2006 (WST)
I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such.
Since I am not a member of security.moodle.org, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide.
Page protected, as requested. Please use this page for suggesting changes to Security. --Helen Foster 19:06, 16 February 2006 (WST)

Running Moodle with PHP safe_mode=on

Does any security guru dare to document that? I think it is possible to do that (both to run Moodle with safe_mode=on and to write the document). ;-)