Hi all,
just wrote http://moodle.org/mod/forum/discuss.php?d=111710#p490348 but is there any guide what to do if some 3rd party activity might be vulnerable?
I created a new security issue to tracker - still in http://julmis.julmajanne.com/?id=26 Janne says:
Each of these "snippets" are Open Source and you can use them at your own risk.
OK - but even if I created a security issue to tracker I should probably contact maintainer of that module (in this case Janne) and if he has time to check the code he might publish update to this module and somehow old moodle sites should find out that their Netrpublish module might be vulnerable... 
Mauno - CONTRIB is pretty open to encourage sharing. I think the best we can do, at least for now, is to continue to remind folks that while 3rd party code is neat and fun to have that it does not undergo the same quality control and testing that CORE code undergoes and thus may be susceptible to more vulnerabilities. Martin had mentioned the idea of possibly hiring someone to review code but at this point I don't see enough need. At the SF Moot, I spoke with a couple of the Partners about the possibility of having them rate particular modules and patches to certify that they meet a particular level of quality. As we work to revamp the Modules and Plugins database, we can factor in how to do this. That being said, when a vulnerability has been found, I would report it as a security issue in the tracker. I don't think too much of Petr's time should go into 3rd party code but I know that he has been helpful to developers in fixing up code and making recommendations as he did for me with the sql injection vulnerability in the MRBS code. So those are my initial thoughts. I'd be interested in what others think. Peace - Anthony
I'm afraid there really are a lot of vulnerable activities and blocks. When they started to investigate 3rd party extensions of Joomla the list became long very soon:
http://docs.joomla.org/Vulnerable_Extensions_List
So the advice to use any 3rd party activities and themes at your own risk sounds reasonable - I just wonder how many sites have been hacked through them...
I believe partners have a list of modules they consider high quality. I bid out hosting a year or so ago and such a list was referred to. If you can get them to share, it might be helpful.
Individual partners may have such a list for their internal use. But there is no shared, or official list.
The talk has been about how to increase the quality of the rating and commenting system in the modules and plugins database so that there is a public list that everyone can contribute to and benefit from.
The talk has been about how to increase the quality of the rating and commenting system in the modules and plugins database so that there is a public list that everyone can contribute to and benefit from.
Hi,
Regarding an improved system of rating and commenting on entries in the modules and plugins database, please see MDLSITE-571. All suggestions and comments are welcome!
Regarding an improved system of rating and commenting on entries in the modules and plugins database, please see MDLSITE-571. All suggestions and comments are welcome!
In this case, I don't think netpublish has any problems at all.
But as you guessed the correct procedure would be to flag a security issue in the tracker, plus it would be nice to let the author know (if you know them).
But as you guessed the correct procedure would be to flag a security issue in the tracker, plus it would be nice to let the author know (if you know them).
It was a natural first guess - and yes, I did flag a security issue and sent Janne a private message when I saw that post.
You may be right - there are some similar cases that have something to do with old FCKEditor vulnerability and some gallery programs - one possible reason could be that some image/blog attack was launched through some material/link shown in netpublish module etc. I really don't know this case... and have not seen any files from that site to be able to comment more. 