Security and privacy

BackTracking in moodle site?

Tim at Lone Pine Koala Sanctuary
Re: BackTracking in moodle site?
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

There is no need to panic about this. The first video only manges to 'hack' the example site because:

1. the system being attacked has a blatant SQL-injection vulnerability.

2. the system being attacked stores the password in the database as plain text.

Moodle does neither of these things.

Well, it is hard to prove that there is not an SQL injection attack anywhere in Moodle, but Moodle does two systematic things to prevent SQL-injection:

a. all incoming data is filtered using the clean_param function to strip out undexpected input.

b. values are substituted into SQL statements using prepared statements and placeholders.

Moodle stores passwords in the database only after hashing them. If you have set a password salt in your config.php file, then it will be very hard for an attacker to reverse any strong passwords, and I hope your admin knows to choose a strong password.

(There are two imporvements that Moodle could make to security: We could switch to a better hashing agorithm like Blowfish, and we could use a per-user salt in addtion to the system-wide salt. However, these would just take Moodle's security from Very, very good, to Excellent.)

The more serious worry is session stealing or network traffic sniffing. The only real defense there is to use HTTPS.

Average of ratings: Useful (1)