Security issues: what to do with vulnerable plugins?

Security issues: what to do with vulnerable plugins?

by Ewout ter Haar -
Number of replies: 5

I became aware, just now, of this issue with one of the plugins in the plugin directory: https://tracker.moodle.org/browse/CONTRIB-7516.

I can't see the issue, since it's a severe security issue. On the other hand, according to https://docs.moodle.org/dev/Moodle_security_procedures I shouldn't disclose the plugin involved. I have verified that the plugin enabled exposing our config.php in plain text, and I'm sure much worse can happened.

My question is: what is the responsibility of the plugin directory maintainers in cases like these? In this case, I think the plugin should be removed immediately from the directory (until the vulnerability is solved in a next version). I'm not sure how to deal with the communication with moodle admins that installed the plugin.

Average of ratings:Useful (3)
In reply to Ewout ter Haar

Re: Security issues: what to do with vulnerable plugins?

by Tomasz Muras -
Picture of Core developers Picture of Plugin developers Picture of Plugins guardians Picture of Translators

The vulnerability seems serious enough and not acted upon for a long time - I think the plugin should be removed from the listing.

Average of ratings:Useful (3)
In reply to Ewout ter Haar

Re: Security issues: what to do with vulnerable plugins?

by David Mudrák -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Thanks Ewout for raising this important topic.

I can see the reasoning for removing the affected plugin from the plugins directory - at its current stage, it simply does not pass the approval criteria. And I did so.

However, this is still kind of ad-hoc solution. I would very much prefer if a standard procedure of how to sort out this class of situations, is proposed and discussed.

Average of ratings:Useful (2)
In reply to David Mudrák

Re: Security issues: what to do with vulnerable plugins?

by Mike Churchward -
Picture of Core developers Picture of Plugin developers Picture of Testers
Seems like there should also be some method of informing people using this plugin that it has a serious security issue - especially one as serious as exposing the contents of config.php.
Average of ratings: -
In reply to Mike Churchward

Re: Security issues: what to do with vulnerable plugins?

by David Mudrák -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Which I think takes us back to what https://moodle.org/mod/forum/discuss.php?d=378048 started with in the first place.

Average of ratings:Useful (1)
In reply to David Mudrák

Re: Security issues: what to do with vulnerable plugins?

by Justin Hunt -
Picture of Particularly helpful Moodlers Picture of Plugin developers
That last thread was re how/if to have some way of notifying users of a plugin. I wonder if we were overthinking that.

There are not that many security issues that come to light with existing plugins. So could we just send out a security alert to all Moodle admins in the same way we send out the Moodle core security alerts? Then there would be no need to try and track who was using the plugin. Or to give plugin maintainers any special info/privileges.

The process would simply be alerting @David who would make a decision about whether it warranted an alert.
Average of ratings:Useful (1)