I realize that there are a number of camps on how and to whom to make security exploit info available prior to implementation of fixes. I will look into the visibility. Some years ago one of my students, on a bit of an unauthorized explore, discovered that teachers were placing confidential documents on their "desktop" which translated to leaving them in their home directories, and this resulted in anyone ebing able to identify and in some cases read files on the desktop... The student thought he was being responsible in reporting the situation to the administration, which went hysterical. My offer of a perl script that simply changed all default user perms was ignored and an e-mail alert for a security breach was mailed out, now freaking out teachers. Of course, there was no security breach, nor system flaw..... There is often a difference between what a developer expects code to do and what the user expects code to do in addition to the diff between what the code is expected to do and what it can be made to do......
I commented on his site (but he deleted it, surprise!) along the lines of "you and I both know that it is much more likely that this was a server hack - nothing to do with Moodle".
So, yes, I was interested in the nature of the hack too but until proven different, my money is on this not being a Moodle issue. I, for one, am happy to see information about Moodle security problems but please let's have accurate information that we can do something with.
Perhaps if Chardelle is around she can close the loop and let us know what happened.
I guess we can expect a post on Steve's site trying to making me look stupid in the next 24 hours - I don't need Steve to do that
It seems there was a security issue with Joomla - see Mauno's post: All moodle sites using Joomla should upgrade their Joomla immediately.
I have been reading Steve's blog regularly for many reasons and the sad thing is that he always tells the partial truth - and exactly that part that he finds useful for his purposes to disgrace mainly Partners and Martin. One of Steve's popular words is TROLL - obviously he just does not identify himself to any group he is talking about http://thecountryshrink.com/2008/07/02/on-the-psychology-of-trolls/
I too am a regular reader of Steve's blog and I find some interesting reading. As they say, everybody has an opinion and he is entitled to his but the political point scoring dilutes the useful bit of his message (just *my* opinion, of course).
Just don't believe everything you see on the web
One comment to Steve's blog (because comments there are blocked but I know you read all posts here in moodle.org, Steve...):
"Moodle disciples just can’t seem to process the idea that Moodle could possibly be hacked…"
Have you really seen somebody saying that, Steve? Where? When?
The site you mentioned - vetserbia.edu.yu/moodle/ - was hacked 2008/07/19 http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,maskeli5ler/page,10 and can still be hacked (possibly) any day by any cracker because the site is running moodle 1.4.4 (2004083140) and you can see the version with firefox if you move mouse over moodle logo at the bottom, Steve...
Looking at http://secunia.com/search/?search=moodle quite many vulnerabilities have been fixed since version 1.4.4.
It sounds rather unfair (again) to blaim developers of moodle for a hacked site if site owners have not done any security upgrades for years.
Yes my site was hacked--yikes. But NO, and I will repeat this, NO this did not have anything to do with Moodle. In fact, the Moodle side of the site was working just fine, thank you. And, I will mention here, I have never had a security issue with any Moodle site I have ever worked with.
The vulnerability was most likely with the early version of Joomla 1.5 I was running on the front end. I suggest that anyone running a Joomla 1.5 site immediately upgrade to the latest version. See here for more info on that.
He'd look a lot more credible if he didn't partake in bending the truth. But then I would say that, I'm a Moodle disciple aparently
I did write a win-win situation for ALL. And with reference to the video,- it could all have started with clear and true leadership and information from the beginning. If such information was provided from the beginning, that person might NOT have chosen the path, chosen by now .