Hi Folks,
I have been finding solution for the code review for issues reported via Fortify. There is 2059 Critical and 1015 High severity issues.
Moodle 3.9 Stable LTS running on Windows machine with XAMPP(PHP 7.3).
The application has to be made go live for production upon completion on these issues.
Please suggest on the fixes for this. I have implemented some custom plugins from Plugins directory which are not mentioned in the list of vulnerabilities provided by Fortify.
Thanks in Advance🙂
Hi Syed,
Automated testing suites like this do not necessarily detect vulnerabilities, they detect the possibility of something matching a pattern that could indicate a vulnerability. The positive results all need to be manually verified before you can confirm a vulnerability exists. When scanning Moodle, these tools are notoriously innaccurate.
I have reviewed numerous reports of this type in the past (totalling thousands of pages), and do not recall logging a single legitimate security issue from their findings. Though the number of matches seems like a lot, one of the key takeaways in my experience is that they'll match against every repeated instance of a finding, for example many pages using some shared code can result in one false positive being listed as hundreds of matches in the report.
I would suggest reviewing the content carefully, and if you discover any legitimate issues, report them via our security submission form, which you can find at https://moodle.org/security/report/. That way, any findings can be triaged and verified through our Vulnerability Disclosure Program, and any confirmed issues can be addressed. As we do adhere to a Responsible Disclosure Policy (which means we do not release security information until a patch has been released), this is the safest way to report any security findings. Please ensure you do not post any potential issues to this public forum.
I hope that helps!
