Note: You are currently viewing documentation for Moodle 2.4. Up-to-date documentation for the latest stable version of Moodle may be available here: Security FAQ.

Security FAQ: Difference between revisions

From MoodleDocs
m (Protected "Security FAQ" [edit=sysop:move=sysop])
(update)
 
(22 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==How can I report a security issue?==
{{Security}}
==How do I report a security issue?==


Please "Create a new issue" in the [http://tracker.moodle.org Moodle Tracker] describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team (led by Petr Skoda) is able to resolve it and publish fixes to registered Moodle sites (see below).
Please create a new issue in the [http://tracker.moodle.org Moodle Tracker] describing the problem in detail. (You'll need a tracker account in order to create a new issue.) Set the security level to "Serious security issue", then only the security team and yourself as the reporter will be able to view it.
 
Previously fixed security issues are listed in the [http://moodle.org/security/ Moodle.org Security news]. If you are unsure whether a problem has been fixed or not, it's best to report it anyway.


==How can I keep my site secure?==
==How can I keep my site secure?==


* The usual way is to update your whole Moodle to the latest stable release of the version you are using. It is very safe to go from 1.8.1 to 1.8.2+, for example, at any time. [[CVS for Administrators|CVS]] is a very easy way to do this.
It's good practice to always use the latest stable release of the version you are using. [[Git for Administrators|Downloading via Git]] is a very easy way to do this.
* Many of the notices will include patch information. If you are fairly confident with editing scripts, then it may be easier for you to just patch the affected file.
 
==How do I keep track of recent security issues?==
 
* Register your [http://moodle.org/sites Moodle sites] with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.
 
* Eventually, all important security issues are published to the general public via the [http://moodle.org/mod/forum/view.php?f=996 Moodle Security forum]. You can subscribe to the [http://moodle.org/rss/file.php/1/1/forum/996/rss.xml forum RSS feed] to automatically add new issues in your favourite feed reader or portal. You can also follow [http://twitter.com/moodlesecurity moodlesecurity on Twitter].
 
==Who is able to view security issues in the Tracker?==
 
Depending upon the security level of a Tracker issue, access is restricted to developers, testers or members of the security team.
 
==Which versions of Moodle are supported?==
 
Currently supported versions are listed on [http://download.moodle.org/ download.moodle.org].
 
==My site was hacked. What do I do?==
 
See [[Hacked site recovery]].
 
==How can I reduce spam in Moodle?==
 
See [[Reducing spam in Moodle]].
 
==How can I increase privacy in Moodle?==
 
See [[Increasing privacy in Moodle]].
 
==How do I enable reCAPTCHA?==
 
To add spam protection to the [[Email-based self-registration]] new account form with a CAPTCHA element:
 
#Obtain a reCAPTCHA key from http://recaptcha.net by [https://admin.recaptcha.net/accounts/signup/?next= signing up for an account] (free) then entering a domain.
#Copy and paste the public and private keys provided into the ''recaptchapublickey'' and ''recaptchaprivatekey'' fields in the manage authentication common settings in ''Administration > Users > Authentication > [[Manage authentication]]''.
#Click the "Save changes" button at the bottom of the page.
#Follow the settings link for email-based self-registration in ''Administration > Users > Authentication > Manage authentication'' and enable the reCAPTCHA element.
#Click the "Save changes" button at the bottom of the page.
 
==How can I run the security overview report?==
 
To run the [[Security overview|security overview report]], go to ''Settings > Site administration > Reports > Security overview''.
 
==How can I enable password salting?==
 
Moodle stores passwords as md5 strings. Password salting adds information to these strings to make them practically impossible to reverse. See [[Password salting]] for details of how to enable this feature.
 
==What if I lose my password salt?==
 
If you lose your password salt, then you and all other site users will have to go through password recovery to reset your passwords. To prevent this situation from occuring, you should keep a note of your password salt somewhere other than config.php.


==How can I keep track of recent security issues?==
==See also==


* Register your [http://moodle.org/sites Moodle sites] with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume securityalerts mailing list.
* Using Moodle [http://moodle.org/mod/forum/view.php?id=7301 Security and Privacy forum]


* Eventually, all important security issues are published to the general public via the [http://moodle.org/mod/forum/view.php?f=996 Moodle Security forum]. You can subscribe to the [http://moodle.org/rss/file.php/1/1/forum/996/rss.xml forum RSS feed] to automatically add new issues in your favourite feed reader or portal.
Using Moodle forum discussions:
* [http://moodle.org/mod/forum/discuss.php?d=124063 Trojan:JS Type Obfuscation Exploits]


[[Category:FAQ]]
[[Category:FAQ]]

Latest revision as of 02:36, 23 October 2012

How do I report a security issue?

Please create a new issue in the Moodle Tracker describing the problem in detail. (You'll need a tracker account in order to create a new issue.) Set the security level to "Serious security issue", then only the security team and yourself as the reporter will be able to view it.

Previously fixed security issues are listed in the Moodle.org Security news. If you are unsure whether a problem has been fixed or not, it's best to report it anyway.

How can I keep my site secure?

It's good practice to always use the latest stable release of the version you are using. Downloading via Git is a very easy way to do this.

How do I keep track of recent security issues?

  • Register your Moodle sites with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.

Who is able to view security issues in the Tracker?

Depending upon the security level of a Tracker issue, access is restricted to developers, testers or members of the security team.

Which versions of Moodle are supported?

Currently supported versions are listed on download.moodle.org.

My site was hacked. What do I do?

See Hacked site recovery.

How can I reduce spam in Moodle?

See Reducing spam in Moodle.

How can I increase privacy in Moodle?

See Increasing privacy in Moodle.

How do I enable reCAPTCHA?

To add spam protection to the Email-based self-registration new account form with a CAPTCHA element:

  1. Obtain a reCAPTCHA key from http://recaptcha.net by signing up for an account (free) then entering a domain.
  2. Copy and paste the public and private keys provided into the recaptchapublickey and recaptchaprivatekey fields in the manage authentication common settings in Administration > Users > Authentication > Manage authentication.
  3. Click the "Save changes" button at the bottom of the page.
  4. Follow the settings link for email-based self-registration in Administration > Users > Authentication > Manage authentication and enable the reCAPTCHA element.
  5. Click the "Save changes" button at the bottom of the page.

How can I run the security overview report?

To run the security overview report, go to Settings > Site administration > Reports > Security overview.

How can I enable password salting?

Moodle stores passwords as md5 strings. Password salting adds information to these strings to make them practically impossible to reverse. See Password salting for details of how to enable this feature.

What if I lose my password salt?

If you lose your password salt, then you and all other site users will have to go through password recovery to reset your passwords. To prevent this situation from occuring, you should keep a note of your password salt somewhere other than config.php.

See also

Using Moodle forum discussions: