Security and privacy

BackTracking in moodle site?

Picture of panagiotis karageorgos
BackTracking in moodle site?

Hi to all, 

Recently one of my students claimed that he can discover the admin password in my moodle site by using Backtracking (?).

Although i changed 3 times the admin password he managed to discover it. 

I made all the serious security changes to my site such as moving the moodledata directory outside the web exposed area and also using salt password method to increase the md5 security but he managed to discover it using Backtracking(?). 

Can you help me with this issue?

thank you

Average of ratings: -
Mary Cooch
Re: BackTracking in moodle site?
Documentation writersMoodle Course Creator Certificate holdersMoodle HQParticularly helpful MoodlersTestersTranslators

What is backtracking?

Average of ratings: -
Picture of Daniele Cordella
Re: BackTracking in moodle site?
Core developersParticularly helpful MoodlersPlugin developers

Ciao All.


@Panagiotis: you have to enforce your $CFG->passwordsaltmain in config.php.


I hope this can help.

Average of ratings: Useful (1)
Picture of panagiotis karageorgos
Re: BackTracking in moodle site?

Well thanks Daniele. Really helpful this feature, I ve already done this.  Although I saw this video

and this one  

and I was very concerned that my students could use this technique, as they told me they can.


Is there another way to protect my username and passwords in  my mysql database?


Thank you

Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: BackTracking in moodle site?
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

There is no need to panic about this. The first video only manges to 'hack' the example site because:

1. the system being attacked has a blatant SQL-injection vulnerability.

2. the system being attacked stores the password in the database as plain text.

Moodle does neither of these things.

Well, it is hard to prove that there is not an SQL injection attack anywhere in Moodle, but Moodle does two systematic things to prevent SQL-injection:

a. all incoming data is filtered using the clean_param function to strip out undexpected input.

b. values are substituted into SQL statements using prepared statements and placeholders.

Moodle stores passwords in the database only after hashing them. If you have set a password salt in your config.php file, then it will be very hard for an attacker to reverse any strong passwords, and I hope your admin knows to choose a strong password.

(There are two imporvements that Moodle could make to security: We could switch to a better hashing agorithm like Blowfish, and we could use a per-user salt in addtion to the system-wide salt. However, these would just take Moodle's security from Very, very good, to Excellent.)

The more serious worry is session stealing or network traffic sniffing. The only real defense there is to use HTTPS.

Average of ratings: Useful (1)
Picture of Visvanath Ratnaweera
Re: BackTracking in moodle site?
Particularly helpful Moodlers
Could they have meant Backtrack-Linux ?
Average of ratings: -