Security issues: what to do with vulnerable plugins?

Security issues: what to do with vulnerable plugins?

Ewout ter Haar發表於
Number of replies: 5

I became aware, just now, of this issue with one of the plugins in the plugin directory: https://tracker.moodle.org/browse/CONTRIB-7516.

I can't see the issue, since it's a severe security issue. On the other hand, according to https://docs.moodle.org/dev/Moodle_security_procedures I shouldn't disclose the plugin involved. I have verified that the plugin enabled exposing our config.php in plain text, and I'm sure much worse can happened.

My question is: what is the responsibility of the plugin directory maintainers in cases like these? In this case, I think the plugin should be removed immediately from the directory (until the vulnerability is solved in a next version). I'm not sure how to deal with the communication with moodle admins that installed the plugin.

評比平均分數:Useful (3)
In reply to Ewout ter Haar

Re: Security issues: what to do with vulnerable plugins?

Tomasz Muras發表於
Core developers的相片 Plugin developers的相片 Plugins guardians的相片 Translators的相片

The vulnerability seems serious enough and not acted upon for a long time - I think the plugin should be removed from the listing.

評比平均分數:Useful (3)
In reply to Ewout ter Haar

Re: Security issues: what to do with vulnerable plugins?

David Mudrák發表於
Core developers的相片 Documentation writers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Plugin developers的相片 Plugins guardians的相片 Testers的相片 Translators的相片

Thanks Ewout for raising this important topic.

I can see the reasoning for removing the affected plugin from the plugins directory - at its current stage, it simply does not pass the approval criteria. And I did so.

However, this is still kind of ad-hoc solution. I would very much prefer if a standard procedure of how to sort out this class of situations, is proposed and discussed.

評比平均分數:Useful (2)
In reply to David Mudrák

Re: Security issues: what to do with vulnerable plugins?

Mike Churchward發表於
Core developers的相片 Plugin developers的相片 Testers的相片
Seems like there should also be some method of informing people using this plugin that it has a serious security issue - especially one as serious as exposing the contents of config.php.
評比平均分數: -
In reply to Mike Churchward

Re: Security issues: what to do with vulnerable plugins?

David Mudrák發表於
Core developers的相片 Documentation writers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Plugin developers的相片 Plugins guardians的相片 Testers的相片 Translators的相片

Which I think takes us back to what https://moodle.org/mod/forum/discuss.php?d=378048 started with in the first place.

評比平均分數:Useful (1)
In reply to David Mudrák

Re: Security issues: what to do with vulnerable plugins?

Justin Hunt發表於
Particularly helpful Moodlers的相片 Plugin developers的相片
That last thread was re how/if to have some way of notifying users of a plugin. I wonder if we were overthinking that.

There are not that many security issues that come to light with existing plugins. So could we just send out a security alert to all Moodle admins in the same way we send out the Moodle core security alerts? Then there would be no need to try and track who was using the plugin. Or to give plugin maintainers any special info/privileges.

The process would simply be alerting @David who would make a decision about whether it warranted an alert.
評比平均分數:Useful (1)