We have recently put one of our Moodle's (1.9.8) through penetration testing at the request of a client. Most of the issues are quickly solvable - a couple we may alert you to via the tracker once confirmed as issues in Moodle core and not our own code/configuration.
One point raised was the use of session keys in URLs. The worry being about these being obtained via proxy server caches and the like.
I've been told by one of the Moodle development team that it is not possible to switch this functionality off. Just wondering what the advice is to feed back to the client?
I guess my first take on this is to make sure the session time-out is set to 10 mins or so, so then the session key is only of value for a short period of time...
Any views or comments people want to share about this here?
It says add a link to the admin/index.php file
Although i want the link to appear in the admin_tree_block
Good day Dan,
May I ask which tool(s) did you use to perform the Moodle penetration testing?
If you want to make sure Session-Information (Cookie / Sessionkey) is safer you could use the PHP-Extension Suhosin, where you can Encrypt this information with several user-data in the key. f.e. the user-agent, IP-Adress (or parts of it)
We (a group of students from FH Gießen-Friedberg - University of Applied Sciences) developed an admininterface for the extention to use in Moodle.
Additional we developed an Moodle-Plugin which contains PHP-IDS as Intrusion-Detection- and Prevention-System, so f.e. the use of SQL-Injektions, which is already escaped by the moddle-core, is loged and can cause penalties for the user.
Our Plugins are developed on the newes moodle version 2, so you can't use this plugins right now, but will be able to, when moodle 2 developement is stable (at the moments its RC1) and you decide to upgrade.
Our Plugins are available at http://sourceforge.net/projects/hardeningmoodle/files/