Hi to all,
Recently one of my students claimed that he can discover the admin password in my moodle site by using Backtracking (?).
Although i changed 3 times the admin password he managed to discover it.
I made all the serious security changes to my site such as moving the moodledata directory outside the web exposed area and also using salt password method to increase the md5 security but he managed to discover it using Backtracking(?).
Can you help me with this issue?
thank you
What is backtracking?
Ciao All.
@Mary: http://en.wikipedia.org/wiki/Backtracking
@Panagiotis: you have to enforce your $CFG->passwordsaltmain in config.php.
See:http://docs.moodle.org/23/en/Password_salting
I hope this can help.
Ciao.
There is no need to panic about this. The first video only manges to 'hack' the example site because:
1. the system being attacked has a blatant SQL-injection vulnerability.
2. the system being attacked stores the password in the database as plain text.
Moodle does neither of these things.
Well, it is hard to prove that there is not an SQL injection attack anywhere in Moodle, but Moodle does two systematic things to prevent SQL-injection:
a. all incoming data is filtered using the clean_param function to strip out undexpected input.
b. values are substituted into SQL statements using prepared statements and placeholders.
Moodle stores passwords in the database only after hashing them. If you have set a password salt in your config.php file, then it will be very hard for an attacker to reverse any strong passwords, and I hope your admin knows to choose a strong password.
(There are two imporvements that Moodle could make to security: We could switch to a better hashing agorithm like Blowfish, and we could use a per-user salt in addtion to the system-wide salt. However, these would just take Moodle's security from Very, very good, to Excellent.)
The more serious worry is session stealing or network traffic sniffing. The only real defense there is to use HTTPS.