We recently had a case where one course on our Moodle system was infected with malware. We fixed it before it went live to students but this is still a bit of a concern.
What seems to have happened is that a member of staff with editing permissions had an infected browser, and the particular malware involved was able to spot text areas (such as when the user was editing a Label) and insert its own script tags into the HTML just before it was submitted. After that, for everyone else who viewed the site, the malware would load and run.
In general, this shouldn't happen because everyone here is supposed to run antivirus software which should protect against this kind of thing. However, obviously there is a chance it could slip through the net.
In order to fix it Derek and I had to go through searching database tables and replacing everything blah blah. It was pretty tedious.
I'm wondering if Moodle should have general protection against this kind of malware (in other words, against the case where teachers who are editing websites can end up inserting malware scripts without their knowledge).
My thinking is:
- Malware usually requires the insertion of a script tag or a remote (not locally hosted via PLUGINFILE) .swf or something. (There might be some other attack mechanisms, this is just off the top of my head...)
- In 99.9% of cases, when a user edits something that has an html field, even if it's one of the fields that permits these things (such as a label) they do not want to insert any of them this time.
- What if Moodle could have an extra confirmation whenever you save any form (or at least most forms) that includes a <script> tag or non-local swf in its data? In other words, you save the form, it initially fails validation with a big 'are you sure' type box at the top with a checkbox that you have to click to approve that you really mean to add the script tag. The box could display the code for the script tag (or whatever) that you're adding, so you can see if it's something you meant to add or not.
- If you did tick the confirmation and save the form again, it would work (so you can still add script tags if you need to); a special log entry could be added to record this.
This would not prevent malware designed specifically to attack this version of Moodle (as it could automatically click the box and whatever else) - it is impossible to prevent that. However, it should prevent teachers from adding generic malware to a site. As an added benefit, it might inform users - including students as well as teachers, if this runs on all forms, even though any script tags the students put in won't harm Moodle as they will already be filtered out - if they have a malware problem.
I'm not sure whether this is (a) feasible, or (b) the best approach - maybe there is a better way to achieve it. Alternatively, this has only happened to us once, so maybe it's not even a problem we should worry about as it won't happen again. I thought it was at least worth considering though.