Revision as of 11:06, 16 February 2006 by Helen Foster (talk | contribs) (page protected, formatting)

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 1.9. Up-to-date documentation for the latest stable version is available here: Security.

Should this page deal with valid users as well? I'm talking about input sanitization, etc. For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post. I suggest taking a look at MediaWiki's approach to code sanitizing. -- Tim McCormack is Tim McCormack 12:45, 11 February 2006 (WST)

Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. Jonathan Moore Jonathan Moore 8:46, 12 February 2006 (CST)

Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: - David Delgado 02:11, 13 February 2006 (WST)

I have updated the file permissions, with what I hope are more correct values. Moorejon Jonathan Moore 10:52, 14 February 2006 (CST)

Security for Security page

Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by Please, give us your opinion on this in the "page comments" label in this page.

I do think it SHOULD be protected and maintained directly by , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, Moorejon? :-/ - David Delgado 16:44, 13 February 2006 (WST)
I have reported it in full detail at the site. -- Phyzome is Tim McCormack 09:29, 16 February 2006 (WST)
I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such.
Since I am not a member of, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide.
Page protected, as requested. Please use this page for suggesting changes to Security. --Helen Foster 19:06, 16 February 2006 (WST)

Running Moodle with PHP safe_mode=on

Does any security guru dare to document that? I think it is possible to do that (both to run Moodle with safe_mode=on and to write the document). ;-)