Moodle security concerns - where's the source of information?

Moodle security concerns - where's the source of information?

Cris Fuhrman - келді
Number of replies: 4


We're considering using Moodle at our university and are very impressed by what we've seen so far. However, having learned my lesson several times with Open Source tools for education (forums in CGI, perl scripts, php scritps, all of which come with their share of security holes), I'm always a bit conservative about reusing such tools. Our system administrators are even more conservative, because they get stuck with dealing with the damage done to the system when it gets hacked.

A Google search on Moodle and security comes up with a lot of discussion of issues, some very recent (Aug. 2004). But nothing seems to be centralized here on the source ( Other open source projects (MySQL, Apache, etc.) have ways to inform users about what security risks exist in certain versions, which patches have recently been released, etc.

Where is that information on If we install Moodle, will we be informed of security-related issues so that we can keep up with the patches?


Cris Fuhrman

In reply to Cris Fuhrman

Re: Moodle security concerns - where's the source of information?

Scott Elliott - келді


With the few security issues that have arisen, Martin has been great about contacting registered users with this information.  (I think this is sent to the email addess of the admin user(s) of your site?)

Maybe someone would like to chide in with ways they help to make their sites "secure".

In reply to Cris Fuhrman

Re: Moodle security concerns - where's the source of information?

Martin Dougiamas - келді
Core developers қатысушының суреті Documentation writers қатысушының суреті Moodle HQ қатысушының суреті Particularly helpful Moodlers қатысушының суреті Plugin developers қатысушының суреті Testers қатысушының суреті
Security updates is one of the benefits of registering your site at Just use the registration button on your admin page.

When I'm notified of security problems then I try and get fixes out to registered users within days, either as a patch or a new version.

Running your site directly from the latest STABLE CVS branch is the best idea - all the latest fixes will always be in there and all you need to do is run "cvs update" occasionally.
In reply to Martin Dougiamas

Re: Moodle security concerns - where's the source of information?

Cris Fuhrman - келді
It's been some time since my first posting on this subject. Since then I see that now has a separate site for discussing security (, and that community members have done formal security audits (according to the release notes of 1.4.2). Good news!
In reply to Cris Fuhrman

Re: Moodle security concerns - where's the source of information?

Michael Penney - келді
Yeah and man o man are they strict about it, whew!

BTW, we've just been dealing with the fact that Blackboard 6 'secures' it's digital drop box via obscurity (a random number added to each filename, and that's it) and thus has NO security to keep students in computer labs from browsing each other's files in the drop box via browser history!

Moodle's  system of double session checking for all file access is miles ahead of it's $100,000/year "Enterprise" competitor (frankly I'd be embarrased if I was a Blackboard programmerangry).