Note: You are currently viewing documentation for Moodle 1.9. Up-to-date documentation for the latest stable version is available here: Security.
Should this page deal with valid users as well? I'm talking about input sanitization, etc. For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post. I suggest taking a look at MediaWiki's approach to code sanitizing. -- Tim McCormack is Tim McCormack 12:45, 11 February 2006 (WST)
- Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. Jonathan Moore Jonathan Moore 8:46, 12 February 2006 (CST)
Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: http://moodle.org/mod/forum/discuss.php?d=39404#182024 - David Delgado 02:11, 13 February 2006 (WST)
I have updated the file permissions, with what I hope are more correct values. Moorejon Jonathan Moore 10:52, 14 February 2006 (CST)
Security for Security page
Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page.
- I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to email@example.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, Moorejon? :-/ - David Delgado 16:44, 13 February 2006 (WST)
- I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such.
- Since I am not a member of security.moodle.org, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide.
Running Moodle with PHP safe_mode=on
Does any security guru dare to document that? I think it is possible to do that (both to run Moodle with safe_mode=on and to write the document). ;-)