lately there have been some malicious attacks on many sites using moodle.
users are uploading .exe files as attachments to different modules, for example
other users click the attached .exe file and that file turns out to be a trojan.
same is happening with other executable file types like .js even though of course those aren't trojans, just contain other less malicious code.
also, those users keep uploading .php, because it's possible but looks like moodle takes actions to disable the options for them to be executed on server.
the code I see moodle's default allowed file type is '*'.
seems like a security hole.
I think this is the known vulnerability of it:
was this addressed in the code moodle 3.5?
there a patch for it for moodle 3.1.x and later?
if moodle didn't fix this and don't intend to - where is the best place in the code for me to change this so that no matter what - no user will be able to add an .exe file?
I don't to intent to rely on clam antivirus or imperva or any other layer of protection to keep me safe.
I have to change this in the code level.
yes, I have ClamAV antivirus there.
but as I wrote, I really don't want to rely on antivirus for this.
I believe it's important to prevent this in the moodle php code as it looks to me as a code vulnerability, and it ain't difficult to fix it, I just don't want to make core changes if someone is already did it or working on it in the moodle team.
I'm not certain that those CVEs are looking at this in the same way that you are. They seem to be talking about a use uploading a file then causing it to be executed on the server in some way ("unspecified vectors"), rather than tricking other users into downloading malicious files.
If you believe this is a security issue, please raise an issue on the tracker. I found MDL-54716 which is somewhat related to what you're asking, although the response suggests raising separate issues for the specific modules that need changes.
More generally, while restricting .exe file uploads might help with your immediate problem, to be sure of keeping your users safe, you will need to rely on some sort of anti-virus scanning of uploads too. Not having a .exe extension doesn't guarantee a file isn't executable, or malicious!
also I don't rely only on the code in this issue, but I am as I wrote in my first post and the previous one - I AM already using antivirus and I don't believe it's enough.
the thing is I don't won't to rely on any one single layer of protection but use multiply ones.
codewise I feel obligated to restrict the file types a user can upload and not allow all.
is it safe to say that moodle's team doesn't see this issue as a vulnerability and does not intent to address it? that would be fine with me... I just need to know so I can move on to either create a jira issue or make my own code that does the restriction.
I think you might have to do it yourself, it's been mentioned for a few years and I don't think they ever implemented a whitelist.
If you look at /repository/upload/lib.php
I believe the process_upload() function in there is called whenever someone uploads a file, and there is already some code in there for checking mimetypes, so it should just be a case of adding in an extra line or so, to look for, say a $CFG->allowed_types variable, or a config setting if you want to make an actual form for it in Site Admin.