Disable password Unmask option

Disable password Unmask option

by Dimitris Chatzipanagiotidis -
Number of replies: 4

Hi,

As we are trying to build a new e-learning system and we have also other systems in our network we realized that we may have a big security breach.

The reason is that we use ldap authentication (ActiveDirectory) and the administrators in moodle 2.4, are not the same as outside this platfom.

In case we use an administration password for authenticating e.g an smtp server, it can be visible to people that may not see it just clicking on 'Unmask'.

My question is how at least can disable or remove the option from each webpage having this function.

I am using Moodle 2.4 on Ubuntu server 12.04.

Thank you.

Average of ratings: -
In reply to Dimitris Chatzipanagiotidis

Re: Disable password Unmask option

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

You should verify this by seeing what happens on a test server, but I think it works like this:

When you are using LDAP, Moodle does not store a copy of the user's password at all. Therefore, there is nothing that could be un-masked.

Thus there is no security problem here.

Average of ratings: -
In reply to Tim Hunt

Re: Disable password Unmask option

by Dimitris Chatzipanagiotidis -

Yes, it is true that no passwords are stored using the ldap authentication.

However I use the smtp server of MS Exchange, so administrator credentials for that system need to be stored in moodle.

If someone goes to that settings and unmask the password, will be able to see administrative credentials of the other system.

Is it possible to remove that Unmask option, somehow?

Thank you

Average of ratings: -
In reply to Dimitris Chatzipanagiotidis

Re: Disable password Unmask option

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Well, for someone with Moodle adminsitrator access, it is quite hard to stop the accessing things. (For example if you had https://moodle.org/plugins/view.php?plugin=report_customsql installed, admins could read the data directly from the database.)

However, there are some things you could do:

  1. In your theme, add a style rule div.unmask {display: none;} That will hide the option, but it is not very secure.
  2. Tweak the Moode code, to change calls like $mform->addElement('passwordunmask', ...) to $mform->addElement('text', ...), and admin_setting_configpasswordunmask -> admin_setting_configtext.

Also, you could set up your SMTP server so that the username and password that Moodle uses only has the minimum number of permissions necessary. Moodle does not need the SMTP server administrator password. It only needs to be able to send emails through the SMTP server.

Average of ratings: Useful (1)