Security and privacy

BackTracking in moodle site?

Picture of Daniele Cordella
Re: BackTracking in moodle site?
Core developersParticularly helpful MoodlersPlugin developers

Ciao All.


@Panagiotis: you have to enforce your $CFG->passwordsaltmain in config.php.


I hope this can help.

Average of ratings: Useful (1)
Picture of panagiotis karageorgos
Re: BackTracking in moodle site?

Well thanks Daniele. Really helpful this feature, I ve already done this.  Although I saw this video

and this one  

and I was very concerned that my students could use this technique, as they told me they can.


Is there another way to protect my username and passwords in  my mysql database?


Thank you

Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: BackTracking in moodle site?
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

There is no need to panic about this. The first video only manges to 'hack' the example site because:

1. the system being attacked has a blatant SQL-injection vulnerability.

2. the system being attacked stores the password in the database as plain text.

Moodle does neither of these things.

Well, it is hard to prove that there is not an SQL injection attack anywhere in Moodle, but Moodle does two systematic things to prevent SQL-injection:

a. all incoming data is filtered using the clean_param function to strip out undexpected input.

b. values are substituted into SQL statements using prepared statements and placeholders.

Moodle stores passwords in the database only after hashing them. If you have set a password salt in your config.php file, then it will be very hard for an attacker to reverse any strong passwords, and I hope your admin knows to choose a strong password.

(There are two imporvements that Moodle could make to security: We could switch to a better hashing agorithm like Blowfish, and we could use a per-user salt in addtion to the system-wide salt. However, these would just take Moodle's security from Very, very good, to Excellent.)

The more serious worry is session stealing or network traffic sniffing. The only real defense there is to use HTTPS.

Average of ratings: Useful (1)
Picture of Visvanath Ratnaweera
Re: BackTracking in moodle site?
Particularly helpful Moodlers
Could they have meant Backtrack-Linux ?
Average of ratings: -