Moodle security concerns - where's the source of information?

Moodle security concerns - where's the source of information?

by Cris Fuhrman -
Number of replies: 4

Hi,

We're considering using Moodle at our university and are very impressed by what we've seen so far. However, having learned my lesson several times with Open Source tools for education (forums in CGI, perl scripts, php scritps, all of which come with their share of security holes), I'm always a bit conservative about reusing such tools. Our system administrators are even more conservative, because they get stuck with dealing with the damage done to the system when it gets hacked.

A Google search on Moodle and security comes up with a lot of discussion of issues, some very recent (Aug. 2004). But nothing seems to be centralized here on the source (moodle.org). Other open source projects (MySQL, Apache, etc.) have ways to inform users about what security risks exist in certain versions, which patches have recently been released, etc.

Where is that information on Moodle.org? If we install Moodle, will we be informed of security-related issues so that we can keep up with the patches?

Regards,

Cris Fuhrman

Average of ratings: -
In reply to Cris Fuhrman

Re: Moodle security concerns - where's the source of information?

by Scott Elliott -

Cris,

With the few security issues that have arisen, Martin has been great about contacting registered users with this information.  (I think this is sent to the email addess of the admin user(s) of your site?)

Maybe someone would like to chide in with ways they help to make their sites "secure".

Average of ratings: -
In reply to Cris Fuhrman

Re: Moodle security concerns - where's the source of information?

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Security updates is one of the benefits of registering your site at moodle.org. Just use the registration button on your admin page.

When I'm notified of security problems then I try and get fixes out to registered users within days, either as a patch or a new version.

Running your site directly from the latest STABLE CVS branch is the best idea - all the latest fixes will always be in there and all you need to do is run "cvs update" occasionally.
Average of ratings: -
In reply to Martin Dougiamas

Re: Moodle security concerns - where's the source of information?

by Cris Fuhrman -
It's been some time since my first posting on this subject. Since then I see that Moodle.org now has a separate site for discussing security (security.moodle.org), and that community members have done formal security audits (according to the release notes of 1.4.2). Good news!
Average of ratings: -
In reply to Cris Fuhrman

Re: Moodle security concerns - where's the source of information?

by Michael Penney -
Yeah and man o man are they strict about it, whew!
approve

BTW, we've just been dealing with the fact that Blackboard 6 'secures' it's digital drop box via obscurity (a random number added to each filename, and that's it) and thus has NO security to keep students in computer labs from browsing each other's files in the drop box via browser history!

Moodle's  system of double session checking for all file access is miles ahead of it's $100,000/year "Enterprise" competitor (frankly I'd be embarrased if I was a Blackboard programmerangry).
 
Average of ratings: -