Download presentation
Presentation is loading. Please wait.
1
Security in Moodle plugins
the world’s open source learning platform Marina Glancy Moodle HQ MoodleMoot Australia 2015 #mootau15
2
About me Development Process Manager in Moodle HQ
Working for Moodle since 2011 15 years of software development MSc in Computer Science Anti social media Love open-source the world’s open source learning platform
3
1 + 1 = ∞ Security vulnerabilities developer mistake hacker exploit
infinite damage the world’s open source learning platform
4
https://docs.moodle.org/dev/Security
Typical security vulnerabilities in Moodle Cross-site scripting (XSS) Cross-site request forgery (CSRF) Privilege escalation (incl. unauthorised access) Information leakage SQL injection Command-line and code injection Illegal files access Denial of service, buffer overflow, timeout, etc. the world’s open source learning platform
5
Cross-site scripting (XSS)
XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Example of “good” JavaScript Example of “bad” JavaScript the world’s open source learning platform
6
After the attack Who is responsible? Who suffers? Whose fault is it?
Moodle administrator Developer Hacker Students Who suffers? Whose fault is it? Who is responsible? Teacher the world’s open source learning platform
7
Cross-site scripting (XSS)
the world’s open source learning platform
8
Cross-site scripting (XSS)
Make sure the plugin does not automatically assign any XSS_RISK capabilities to roles with Student or Authenticated user archetypes; Create a role with all capabilities that are not marked with XSS_RISK; Give a user this role (in addition to Student or Authenticated user); Login as this user, disable HTML editor in your preferences; Wherever you can try to insert XSS; Make sure nobody (teacher, other users) can be affected; Test rare cases, such as deletion, moving, etc. the world’s open source learning platform
9
Cross-site scripting (XSS)
the world’s open source learning platform
10
Cross-site request forgery (CSRF)
Cross-site request forgery, also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. the world’s open source learning platform
11
Cross-site request forgery (CSRF)
On login the random session key (sesskey) is generated for user and stored in the session Every significant action appends sesskey to the request Backend script checks sesskey by calling confirm_sesskey() or require_sesskey() Moodleforms always pass and validate sesskey the world’s open source learning platform
12
Cross-site request forgery (CSRF)
As admin/teacher/manager, open many tabs with links/quickforms If some action has non-javascript confirmation page, open the confirmation page In another tab logout and login as the same user, close this tab Make sure no links or form submissions perform any changes to the data Watch for AJAX requests the world’s open source learning platform
13
Privilege escalation Capability check when displaying the control must exactly match capability check when processing request Often happens with backend scripts for AJAX requests How to test: similar to CSRF test but instead of logout/login use another browser to login as administrator and revoke some capabilities from the user Review the code and make sure every php script is either defined as internal or calls require_login() / require_course_login() the world’s open source learning platform
14
Information leakage username should not be visible to anybody
and other identity fields can only be visible to people with capability ‘moodle/site:viewuseridentity’ make sure plugin does not disclose user names or profile pictures to guests or non-logged in users the world’s open source learning platform
15
SQL injection $searchstring = optional_param('s', '', PARAM_NOTAGS);
$DB->execute(“SELECT * from {sometable} WHERE name LIKE '%” . $searchstring . ”%'”); the world’s open source learning platform
16
SQL injection Search for $DB-> in the code and make sure there are no string concatenations, only placeholders Try appending apostrophe ‘ to each input field, especially ones that are supposed to be numeric - any DML error is a sign of potential sql injection the world’s open source learning platform
17
the world’s open source learning platform
18
Command-line and code injection
Search the code for usage of exec, eval, shell_exec, system, passthru, popen, proc_open, etc. Sometimes it is even worth disabling some of those functions in php.ini unserialize() is a good function but should never be applied to user input preg_replace() with ‘e’ modifier may also be dangerous the world’s open source learning platform
19
Illegal file access Files may be saved to or read from only temporary directory or datadir In 99% cases accessing datadir should be done using methods of file_storage class, see get_file_storage() ‘filemanager’ and ‘editor’ elements in moodleforms are usually safe ‘filepicker’ or any other file upload must be tested search for functions file_get_contents(), file_put_contents() and fopen() and make sure they are only used on allowed locations the world’s open source learning platform
20
Denial of service, buffer overflow, timeout
Turn on performance reporting and make sure pages do not access DB excessively All pages accessible by guests or non-logged in users must be very light preg_match() called on user input may result in ReRegex Set a reasonable timeout for php scripts. Moodle increases timeout when needed (restore, cron, big file serving, etc) the world’s open source learning platform
21
https://moodle.org/security/
Moodle security process Quick response Bi-monthly releases Extended security support Responsible disclosure Registration with Open Source Security (OSS) #moodlesecurity the world’s open source learning platform
22
Thank you Marina Glancy marina@moodle.com
the world’s open source learning platform Marina Glancy
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.