Hi all,
just wrote http://moodle.org/mod/forum/discuss.php?d=111710#p490348 but is there any guide what to do if some 3rd party activity might be vulnerable?
Hi all,
just wrote http://moodle.org/mod/forum/discuss.php?d=111710#p490348 but is there any guide what to do if some 3rd party activity might be vulnerable?
I created a new security issue to tracker - still in http://julmis.julmajanne.com/?id=26 Janne says:
Each of these "snippets" are Open Source and you can use them at your own risk.
OK - but even if I created a security issue to tracker I should probably contact maintainer of that module (in this case Janne) and if he has time to check the code he might publish update to this module and somehow old moodle sites should find out that their Netrpublish module might be vulnerable...
I'm afraid there really are a lot of vulnerable activities and blocks. When they started to investigate 3rd party extensions of Joomla the list became long very soon:
http://docs.joomla.org/Vulnerable_Extensions_List
So the advice to use any 3rd party activities and themes at your own risk sounds reasonable - I just wonder how many sites have been hacked through them...
It was a natural first guess - and yes, I did flag a security issue and sent Janne a private message when I saw that post.
You may be right - there are some similar cases that have something to do with old FCKEditor vulnerability and some gallery programs - one possible reason could be that some image/blog attack was launched through some material/link shown in netpublish module etc. I really don't know this case... and have not seen any files from that site to be able to comment more.