Hello George,
Thanks for this initiative.
Moodle security procedures are described here. Please do not post on forums about security vulnerabilities you have found! Also this is a good page describing different security practices and vulnerabilities.
There are a couple of things I'd like to say to the contestants:
1. If you use
automated penetration tests please make sure not to submit the raw results but instead go through the report and test each case to make sure it is not a false positive. For example, search forms do not need CSRF protection since search results can be linked to directly, however pentests report a form without sesskey as a security threat. Also keep in mind that pentests are not very helpful when looking for privilege escalation and many other types of vulnerabilities related to authenticated users.
2. There are users in Moodle who are allowed to insert scripts in the text fields. They have capabilities marked with XSS risk and they appear on the report
Site administration > Reports > Security overview in the section
"XSS trusted users". Default "Student" role does not have such capabilities but default "Teacher" role has quite a few of them. If you want to report XSS vulnerability make sure that you can reproduce it as a user without capabilities marked with XSS risk.
3. Make sure
to include reproduction instructions in the reports about how the vulnerability can be used to attack
other users, compromise data or affect the site/
server work.
4. And, of course, always
use the latest supported versions. Otherwise you may find the issue that was already fixed or an issue on a version that is out of support. At the time of writing the latest security-supported versions are: 3.1.11, 3.2.8, 3.3.5 and 3.4.2 . Check
Version support page for up-to-date information.
Looking forward seeing your reports and making Moodle even more secure and reliable.
