Security Issue of Moodle

Security Issue of Moodle

by Freddy Mok -
Number of replies: 4

Dear all,

For running Moodle it is necessary to set the Safe Mode of PHP to OFF.  Can anyone offer advice about the following questions:

1. Which feature and function of Moodle will be affected if we set the Safe Mode of PHP to ON?

2. What is the risk when we set the Safe Mode of PHP to OFF?

3. How do we protect the Moodle system when we set the Safe Mode of PHP to OFF?  Are there any security measures (e.g. firewall, IPS, ant-virus etc) we could implement to strengthen the security of Moodle system?

Thank you in advance for your advice.

Best regards,

Freddy Mok

Average of ratings: -
In reply to Freddy Mok

Re: Security Issue of Moodle

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

PHP Safe mode is considered sufficiently innapropriate that it has been removed from PHP6. You can read more about this at

http://www.breakingpointsystems.com/community/blog/php-safe-mode-considered-harmful

Average of ratings: -
In reply to Marcus Green

Re: Security Issue of Moodle

by Freddy Mok -
Dear Marcus,

On the web page:

http://www.breakingpointsystems.com/community/blog/php-safe-mode-considered-harmful

It is noted that

"PHP web applications are one of the most commonly attacked pieces of software on the Internet" and

"problems that may be easier to solve by limiting the privileges of the PHP interpreter through other means."

Do you have some advice for us on what "privileges of the PHP interpreter" must be limited to keep the system secure without affecting the features and functions of Moodle ?

Many thankssmile

Freddy




Average of ratings: -
In reply to Freddy Mok

Re: Security Issue of Moodle

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
I believe the statement

"PHP web applications are one of the most commonly attacked pieces of software on the Internet"

Is not because PHP itself is inherently insecure but that it is one of the most widely used systems for web applications.


I cannot advise on the follow up statement


"problems that may be easier to solve by limiting the privileges of the PHP interpreter through other means."

But on my reading around this issue there seems to be a consensus that safe mode is approaching security issues from the wrong angle, i.e. putting locks on the front door without checking the windows.

But I am in no way an expert on this.
Average of ratings: -