We have installed the Certificate 2.0 module. Can someone help us in getting the verify_certificate block working with Moodle 2.0
Hello,
I wasn't knowing verify_certificate but I donwloaded it and had a look at the code.
My god ! How can somebody use such code in 2011.
Data coming from user input is not cleaned or validated.
This is not a door open to hackers it's a portal !!!!!!!!!!!!!!!!!
Don't install such a "thing" on your server if you care about your data.
It would need a complete rewrite.
You have been warned.
Hello,
I have made a version of the verify_certificate block for Moodle 2.1 that should be a lot more secure . It require login and only accept letters and numbers in the user input.
It's only a quick work so you should test it before using it on a production server. Unfortunately I am in a hurry : students begin courses in less than 15 days from now and I don't think I can finish all the work I still have to do !!
So my testing was rather minimal !!
One thing that I know is that I broke the friendly printing feature while trying to tidy the html output somewhat (still a lot of things to do). Sorry. I hope not too many people use it. Maybe somebody can look at why it is no more working (the special style for the printer is not used as it should).
Thanks i'll test it. What changes will I have to look at? Is is unsecure to verify certificates without login?
It is not neccessary unsecure to let non logged in users to verify certificates but a general security rule is : only allow non logged in users to do the minimum things. Most actions should be reserved to logged in users.
You must realize I don't use this block myself so I don't know how it is used. Do you need non logged in users to be able to verify certificate ? Don't you have any privacy issue if anybody is able to view these informations ?
Who use this block ? Teachers or students ?
What was very very dangerous with the old version was that users could enter anything instead of a legitimate code and it was used in a query to the database. This is evil !
I won't go into details for reasons you can easily understand, but imagine some malicious hacker is able to embed a request to erase all database tables in the entered input. Bye, bye, all the data is gone !
Note : this cartoon is only given as an illustration, this kind of attack would not work with the old version of verify_certificate, but other attacks would work, you can beleive me !
In the version I have rewritten only input made of letters and numbers are allowed.
I have not tested my version in Moodle 2.0 and as I said I am in a hurry to get things done for september.
Can somebody test it with moodle 2.0 and report ? If it doesn't work I can surely correct it to work in a very short time (Moodle 2.0 and 2.1 are pretty similar).
Are people using the old version with moodle 1.9 ? If yes I need to make a version for Moodle 1.9 ASAP becaus ethe version for Moodle 2.0/2.1 will not work with Moodle 1.9 and before !
Jean,
I am sure someone here would be happy to test for you:
By the way, I think it is an important feature that you can verify someone's certificate without logging in (if the admin chooses to add the block to the site front page.)
A typical use case would be someone presenting their certificate at a job interview. The interviewer would like to verify the certificate with minimum effort.
Hello Tim,
That's a good point, as i said i had no idea that block was used for.
I will remove the require_login call.
Anyway the code input is sanitized now.
Do you know why the css with @media print { } seems not to work anymore in my version ?
Thanks a lot. Its running on my moodle 2.1.1
Its a plugin very important for my job. Thanks a lot !!!