Teachers can still hijack Moodle sites with arbitrary javascript

Teachers can still hijack Moodle sites with arbitrary javascript

Petr Skoda發表於
Number of replies: 3
Core developers的相片 Documentation writers的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Plugin developers的相片
More than a year ago I posted here about the fundamental Moodle insecurity caused by the fact that teachers are allowed to add arbitrary HTML markup and files to Moodle sites. Any teacher can make themselves the site admin in matter of minutes with just a few lines of Javascript.

After the initial knee-jerk reaction Moodle HQ said that they would investigate and work on a solution, but it appears that they did nothing.

See for yourself:
  1. emperor is naked - now locked
  2. Content processing and user trust - no info there, now locked
  3. https://tracker.moodle.org/browse/MDL-76743  - no progress

Is anybody working on a solution to add option to strip all Javascript from teacher-created content and to prevent scripted content in all uploaded files?

評比平均分數:Useful (1)
In reply to Petr Skoda

Re: Teachers can still hijack Moodle sites with arbitrary javascript

Peter Burnett發表於
Core developers的相片 Plugin developers的相片
We have done a bit of work to cover some of the incoming content. Currently only handles EXIF Data and PDF JS, but this could fairly easily be extended to do other abritrary removals of content. Just pinging it here as another half measure that can cover some gaps. PRs welcome for other mechanisms.

https://github.com/catalyst/moodle-tool_fileredact

A more complete solution, or at least a defined layer of sensitive/destructive actions that require credential re-entry to proceed would be a good start IMO.
評比平均分數: -
In reply to Petr Skoda

Re: Teachers can still hijack Moodle sites with arbitrary javascript

Brendan Heywood發表於
Core developers的相片 Peer reviewers的相片 Plugin developers的相片
+1 its a big risk and real impediment especially with high compliance clients. This comes up on every pentest we deal with.

MDL-76743 is a very big epic and all encompassing. If I had to pick the most meaningful first baby step forward I would like to see the bug around allowing users to XSS themselves on their own dashboard fixed, and then remove the hacks added to workaround that inital poor decision so that Login-as can be made to work correctly again:

https://tracker.moodle.org/browse/MDL-65813

It *should* be relatively easy to configure a site's role so that people with the XSS risk are limited only to site admins. Sites that want it can keep it, it can even stay the same as a default.
評比平均分數: -
In reply to Petr Skoda

Re: Teachers can still hijack Moodle sites with arbitrary javascript

QST Support發表於
This is more than a simple matter. 
The fact that any teacher can make themselves a site admin is a REAL SECURITY ISSUE.
That Moodle knows about this and has not fixed it leads to obvious legal issues for organizations running Moodle.
If you run this by your legal department they will likely advise you to turn Moodle OFF immediately.
If a users mark was altered through this, the lawyers would have a field day.

I have read the attached links and googled Moodle security issues.
Moodle has had many security issues over the years (many are basic input validation, etc. that seasoned web programmers would not make).
You have to remember that Moodle was originally written by a computer science graduate with (from what i can gather) very little actual programming experience.
That suspect code has been added to over the years, and now they are trying to correct the bad decisions that were previously made.

Also, by not fixing a real security issue, Moodle is further pushing the myth that open source software cannot be trusted.
This effects other open source projects by being painted with the same brush.

We and others like us that write open source software and correct any security issues that arise admonish Moodle to fix their security issues and quit downplaying their seriousness. 

You are making the rest of us look bad!



評比平均分數: -