[3.5]Insecure files/folders Moodle?

[3.5]Insecure files/folders Moodle?

by Richard van Iwaarden -
Number of replies: 2
Picture of Particularly helpful Moodlers

Today I received this Email:

Today i found some critical files on your web application which may lead to exploitation if the attacker will get such files.

you should remove such files from public view.

this files are containing sensitive data as well as source codes.

here are the links of all the sensitive files :

http://moodle.org/install/

http://moodle.org/local/

http://moodle.org/package.json

http://moodle.org/phpunit.xml.dist

http://moodle.org/Gruntfile.js

http://moodle.org/composer.lock

http://moodle.org/cache/

http://moodle.org/backup/

http://moodle.org/.htaccess~

http://moodle.org/.eslintignore

kindly fix them ASAP!!


I was trying to see if I could remove some of these folders and files, but it crashes Moodle. How 'serious' is this reported threat? And which files should I delete? (the install folder can be deleted it seems)


(I replaced my Moodle domain with moodle.org)

Average of ratings: -
In reply to Richard van Iwaarden

Re: [3.5]Insecure files/folders Moodle?

by Andrew Lyons -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Hi Richard,


There is zero problem with these files being accessible. They are not sensitive in any way, except that they identify the version of Moodle you are running (and there are other ways of doing that).


Andrew

Average of ratings: Useful (2)