VAPT Issues reported on Moodle 3.9.2+

VAPT Issues reported on Moodle 3.9.2+

by Vinod Kumar Aleti -
Number of replies: 4

Hello,

We have planned to upgrade one of our client's Moodle instance to latest 3.9.2+. Before upgrade, we have performed VAPT scan based on client suggestion on Moodle core (3.9.2+) and have got several issues. Client is concerned about High, Medium and low priority issues. 

Any solution for this? Please let me know.


Average of ratings: -
In reply to Vinod Kumar Aleti

Re: VAPT Issues reported on Moodle 3.9.2+

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Vinod,

I would suggest in the first instance that any automated test results require manual verification to confirm they are not false positives (which are common among automated testing suites).

If you would like to report any security issues, please also ensure you are adhering to our Responsible Disclosure Policy, for example disclosing any issues (or potential issues) via email or Tracker (with a security level set when creating the issue) and not on a public forum.

Thanks.
Average of ratings: Useful (1)
In reply to Michael Hawkins

Re: VAPT Issues reported on Moodle 3.9.2+

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators
Also - it's telling you to use https (which Moodle's own security overview report will be doing too...)

Typically a post like this would get deleted from the forums as it doesn't follow the RDP Michael mentions above, but as the results come from an automated tool it's highly likely they are all bogus (or relate to your misconfiguration of the site and not following Moodle's own security guideilnes like not using https.)

You should also have a good awareness of:
https://docs.moodle.org/en/Security_recommendations

The "Session token in URL" comes up a lot with these automated security scanners - it's because they incorrectly detect our CSRF Token (sesskey) and assume it is a session token which it is not.
Average of ratings: Useful (2)
In reply to Dan Marsden

Re: VAPT Issues reported on Moodle 3.9.2+

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Have any automated scans of Moodle ever reported a security issue that needed fixing?
Average of ratings: -
In reply to Marcus Green

Re: VAPT Issues reported on Moodle 3.9.2+

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
I suspect you mean have any security issues been identified in core Moodle LMS itself from one of these reports. Off the top of my head, I don't recall having ever raised a security issue for any of the automated reports I've analysed.

I imagine some of the results that relate to the specific instance being tested (like the one in the original post's screenshot) have identified issues that need fixing on that particular site (such as enabling HTTPS and other configurations), though better first ports of call would be site admins checking the Security Overview Report and going through the Security Recommendations documentation that Dan mentioned. Rather than just telling you what the problem is, those will tell you how to configure them, so are a great head start to setting up a Moodle instance securely. If an automated scan is going to be run on the site, doing those steps first will also help eliminate some of the items that the scan would otherwise legitimately raise.
Average of ratings: Useful (2)