|
|
(5 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| I am working on a revision of these guidelines. I am going to hack around on this talk page before copying the result to the main page. | | People seem happy enough with the new format that I have copied it to the main page. |
|
| |
|
| Start of new page contents.
| | I will just leave the [[Development:Security:Template]] link here. |
| -----------
| |
| | |
| This page describes how to write secure Moodle code that is not vulnerable to anything that evil people my try to throw at it.
| |
| | |
| The page is organised around the common types of security vulnerability. For each one, it explains
| |
| # what the danger is,
| |
| # how Moodle is designed to avoid the problem, and
| |
| # what you need to do in your code to keep Moodle secure.
| |
| The explanation of each vulnerability is on a separate page, linked to in the list below.
| |
| | |
| This page also summarises all the key guidelines.
| |
| | |
| | |
| ==Common types of security vulnerability==
| |
| | |
| * [[Development:Security:Unauthenticated access|Unauthenticated access]]
| |
| * Unauthorised access
| |
| * [[Development:Security:Cross-site_request_forgery|Cross-site request forgery]] (XSRF)
| |
| * Cross-site scripting (XSS)
| |
| * SQL injection
| |
| * Command-line injection
| |
| * Confidential information leakage
| |
| * Configuration information leakage
| |
| * Session fixation
| |
| * Denial of service
| |
| * Brute-forcing login
| |
| * Insecure configuration management
| |
| * Buffer overruns, and other platform weaknesses
| |
| * Social engineering
| |
| | |
| ==Summary of the guidelines==
| |
| | |
| * TODO
| |
| | |
| | |
| ==See also==
| |
| | |
| * [[Development:Coding]]
| |
| | |
| CategoryDeveloper
| |
| Category:Security
| |
| | |
| ------
| |
| End of new page contents.
| |
| | |
| Please comment below.
| |