Note: You are currently viewing documentation for Moodle 4.0. Up-to-date documentation for the latest stable version of Moodle may be available here: Security:Insecure configuration management.

Development:Security:Insecure configuration management

From MoodleDocs
Revision as of 12:35, 6 November 2009 by Tim Hunt (talk | contribs) (New page: This page forms part of the Moodle security guidelines. ==What is the danger?== Evil Hacker somehow gets access to your server some time and installs some nasty ...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This page forms part of the Moodle security guidelines.

What is the danger?

Evil Hacker somehow gets access to your server some time and installs some nasty code. For example, they could add some code to the login page that records every username and password entered, and sends it back to evel-hacker.com.

Unfortunately, you have no procedures in place for detecting that this is happening.


How Moodle avoids this problem

This is not really a problem that can be solved from within Moodle code. However, any Moodle code that does install other PHP code (for example admin/langimport.php) must be written with extreme care.


What you need to do in your code

  • If you are writing code like admin/langimport.php, make sure you know what you are doing.


What you need to do as an administrator

  • Think about how you deploy the Moodle code to your server. For example, if you use CVS, then 'cvs status' will tell you which files have been edited.
  • Alternatively, if you upload the Moodle code manually, delete all the old code except config.php before you upload a new version.
  • Be very careful who can access your servers.


See also

Template:CategoryDeveloper

Retrieved from "https://docs.moodle.org/400/en/index.php?title=Development:Security:Insecure_configuration_management&oldid=64965"
Powered by MediaWiki