Your prompt attention and response is highly appreciated
IMHO a security audit should be done against a service, not against a software.
Moodle could be hypersecure (and mostly it is) but the deploy could be totally insecure, so what the value of having such audit to Moodle?
I believe that you should pay some consultant and an authority for security certification that has to be valid for your country laws.
So, in my knowledge, the answer to your question about the download is “nowhere”.
Moodle could be hypersecure (and mostly it is) but the deploy could be totally insecure, so what the value of having such audit to Moodle?
I believe that you should pay some consultant and an authority for security certification that has to be valid for your country laws.
So, in my knowledge, the answer to your question about the download is “nowhere”.
Moodle being an open source application, I know it is highly secure and this is the reason we are using it.
But now for production, they are asking for a Security Audit Clearnace Certificate.
Is there any reference or document so that I can share with the Data State Centre team to prove that Moodle is hypersecure?
Thanks for your response
But now for production, they are asking for a Security Audit Clearnace Certificate.
Is there any reference or document so that I can share with the Data State Centre team to prove that Moodle is hypersecure?
Thanks for your response
There doesn't seem to exist an 'international' Security Audit Clearance Certificate is there?
So what's your 'State' requirements to pass muster?
'SoS', Ken
So what's your 'State' requirements to pass muster?
'SoS', Ken
AFAIK, could no esists for a software, it’s useless. Are they asking it like asking for a trip to Alpha Centauri?
You might need to engage with your local Moodle Partner for this - Moodle Partners are often asked to provide security documentation for our hosted solutions too - it can also depend on the jurisdiction you are in which is why engaging with your local Moodle partner can help as they may have needed to satisfy similar requirements for other government institutions within your country.
Various ISO policies like ISO 27001 and ISO 9001 can be important, but also regular pen-testing reports - but these depend more specifically on how you have implemented Moodle and the surrounding processes and systems rather than Moodle itself.
Moodle publishes some information here that may provide some useful information as well,.
https://moodle.com/security-privacy/
however if you are looking for a "certification" for your self-hosted solution - you will likely need to engage someone commercially (pay them) to audit your system and provide this for you - and who that can be may depend on your government's requirements.
Various ISO policies like ISO 27001 and ISO 9001 can be important, but also regular pen-testing reports - but these depend more specifically on how you have implemented Moodle and the surrounding processes and systems rather than Moodle itself.
Moodle publishes some information here that may provide some useful information as well,.
https://moodle.com/security-privacy/
however if you are looking for a "certification" for your self-hosted solution - you will likely need to engage someone commercially (pay them) to audit your system and provide this for you - and who that can be may depend on your government's requirements.
That's an 'urban myth'. There is no documented proof that is the case for open source software.
People who contribute to open source software (from what i have seen) usually add new features, they are not deep diving into the code and looking for bugs (there is no glory in that).
Ask any of the people here who have contributed if they have read over any of that old code and fixed it.
Moodle has a lot of issues see for yourself at moodle.org/security/
You will not find any answers here, people here make a living charging for their moodle knowledge, you are always encouraged to use a moodle partner, no info is given away freely as you would expect from a true open source project.
Also, you don't see moodle saying anywhere that they have a secure product.
People who contribute to open source software (from what i have seen) usually add new features, they are not deep diving into the code and looking for bugs (there is no glory in that).
Ask any of the people here who have contributed if they have read over any of that old code and fixed it.
Moodle has a lot of issues see for yourself at moodle.org/security/
You will not find any answers here, people here make a living charging for their moodle knowledge, you are always encouraged to use a moodle partner, no info is given away freely as you would expect from a true open source project.
Also, you don't see moodle saying anywhere that they have a secure product.
They could have someone do a deep audit and then provide it free for all their customers, which would definitely be a motivator for people to use their product but they don't. Why not? Because they know the result.
See also the reddit/moodle security forum for additional info.
(Edited by Mary Cooch to remove contentious content - original submission Friday, 29 March 2024, 11:08 PM)
That's an extreme mis-quote of what Brendan said in the thread you reference.
your reference to "no answers here" are also incorrect, before you posted I provided an answer to the original posters question - it is definitely possible to get this sort of report - the local Moodle partner should be able to help but there is usually a cost involved there.
We've moved away a lot from the original posters question here in the subsequent comments and Andrew and Mary from Moodle HQ have provided some initial responses - and all while they were supposed to be on holiday and not even engaging in the forums.
I have personally reviewed many security audits by external pen-testers on Moodle and other tools, and in general they provide a good report on Moodle - there is always room for improvement and we do see some regular themes like recommendations around MFA, implementing CSP, and
Moodle's decision to allow teachers (not students) to perform XSS is well documented by Moodle HQ as a design decision and not treated by them as a security issue, however some people would like the ability to tighten this up so that teachers are not fully trusted to do this - which is mainly what the thread that has since been deleted was discussing. This is documented in many places including: https://docs.moodle.org/403/en/XSS_trusted_users
I do think there is a case for providing the ability for a Moodle site to prevent teachers from having the ability to perform XSS against the site and this does also come up in various pen-tests but it's a design decision Moodle has deliberately made - to allow teachers to add rich content within the site.
I think that's the last I'll say here in this thread.
your reference to "no answers here" are also incorrect, before you posted I provided an answer to the original posters question - it is definitely possible to get this sort of report - the local Moodle partner should be able to help but there is usually a cost involved there.
We've moved away a lot from the original posters question here in the subsequent comments and Andrew and Mary from Moodle HQ have provided some initial responses - and all while they were supposed to be on holiday and not even engaging in the forums.
I have personally reviewed many security audits by external pen-testers on Moodle and other tools, and in general they provide a good report on Moodle - there is always room for improvement and we do see some regular themes like recommendations around MFA, implementing CSP, and
Moodle's decision to allow teachers (not students) to perform XSS is well documented by Moodle HQ as a design decision and not treated by them as a security issue, however some people would like the ability to tighten this up so that teachers are not fully trusted to do this - which is mainly what the thread that has since been deleted was discussing. This is documented in many places including: https://docs.moodle.org/403/en/XSS_trusted_users
I do think there is a case for providing the ability for a Moodle site to prevent teachers from having the ability to perform XSS against the site and this does also come up in various pen-tests but it's a design decision Moodle has deliberately made - to allow teachers to add rich content within the site.
I think that's the last I'll say here in this thread.
This is extremely out of context. Do NOT quote me, or my employer (Catalyst) in this way, it's bordering on defamation and doesn't reflect either of our positions.
We regularly get security audits for our clients and Moodle consistently gets a very good results, and when issues are found they are triaged and solved quickly.
We regularly get security audits for our clients and Moodle consistently gets a very good results, and when issues are found they are triaged and solved quickly.
Did i quote your employer? No. You're the one that brought them into this.
Did i quote you, from what i can recall those are the words you said.
If moodle would show the whole discussion, then things would be cleared up.
Did i quote you, from what i can recall those are the words you said.
If moodle would show the whole discussion, then things would be cleared up.
If it's not that big a deal, why was the discussion/thread hidden as al rachels said.
Why did it go from no one would say anything about it to now all sorts of people saw it?
Only by my tenacity to ensure people who use open source software can be somewhat assured that the software is safe.
Once they start bringing out the legal stuff, you know there is something up.
The judge would likely ask to see the discussion, otherwise it's he said, she said.
As I said in the other thread, i will apologize if i misinterpreted the discussion.
If moodle cannot show the discussion/thread, I know how to go back in their backups, find the backup for that time period, they can fire up a new moodle and we can replace the database and read the discussion.
I am even willing to help you clear the air..., how much more can i do?
What an evil person i am.
Only by my tenacity to ensure people who use open source software can be somewhat assured that the software is safe.
Once they start bringing out the legal stuff, you know there is something up.
The judge would likely ask to see the discussion, otherwise it's he said, she said.
As I said in the other thread, i will apologize if i misinterpreted the discussion.
If moodle cannot show the discussion/thread, I know how to go back in their backups, find the backup for that time period, they can fire up a new moodle and we can replace the database and read the discussion.
I am even willing to help you clear the air..., how much more can i do?
What an evil person i am.
You claimed "Brendan Heywood (a moodle partner) mentioned they regularly loose customers because of moodle's insecurity."
I don't think there's any point further engaging with you over this except to say we have now asked you to refrain from incorrectly attributing statements - this is a clear violation of the community policy and your recollection of the statement made in the thread is incorrect.
I don't think there's any point further engaging with you over this except to say we have now asked you to refrain from incorrectly attributing statements - this is a clear violation of the community policy and your recollection of the statement made in the thread is incorrect.
The software is the service.
If the software itself has holes, how you deploy it will not fix it.
It's like the privilege escalation issue in one of the trackers that says a Manager can gain admin control (that i believe is still not fixed).
No matter how you deploy the software as a service, the issue is still with the software.
If the software is secure moodle can state in their install instructions that deploying it according to their instructions will give you a secure service.
But they don't.
If the software itself has holes, how you deploy it will not fix it.
It's like the privilege escalation issue in one of the trackers that says a Manager can gain admin control (that i believe is still not fixed).
No matter how you deploy the software as a service, the issue is still with the software.
If the software is secure moodle can state in their install instructions that deploying it according to their instructions will give you a secure service.
But they don't.
No, never. Software != Service (think around that are two different words...)
As I said in another post in response to your criticism, if you have problems with Moodle, there are many other LMS in the world...
Anyway in more than 15 years and more than 60 Moodle installations currently running, I never had any security issues.
As I said in another post in response to your criticism, if you have problems with Moodle, there are many other LMS in the world...
Anyway in more than 15 years and more than 60 Moodle installations currently running, I never had any security issues.
In reply to Sergio Rabellino
Re: Ri: Re: Ri: Require Moodle Security Audit Certificate
by QST Support -
So what does the service run? Some software...
Did you read through all that code? No.
Why is there such an issue in discussing moodle's security.
I would think they would only be too happy to extol how good their security is?
Is that not a big plus to say to your customers?
Their silence is very telling.
Running my code i have never been hit by lightning - so by your logic my code keeps lightning away from me.
One has no correlation to the other.
What about that issue raised by pertr in the deleted thread about privilege escalation from a teachers account to administrative?
Do you understand the huge security hole that is?
A kid gets their teachers account, goes in and uploads the javascript to elevate their privilege to administrative, creates a new teachers account, if you have hundreds of teachers you have no idea a new one was added. Now they can get admin privileges when they want. With admin privileges you can alter/change students marks, so now the student can sell marks and you have no idea they are in there. They might not do it in your class cause they know you are paying attention, but there are plenty of teachers who may not be.
You have no idea you have been compromised.
I know there are other LMS's i only want to help the open source one's be better. You can berate mine at https://sourceforge.net/projects/qstonline/
I'll stand up for mine.
By the way, i have some software to sell you, if you run it you will never be hit by lightning.
Did you read through all that code? No.
Why is there such an issue in discussing moodle's security.
I would think they would only be too happy to extol how good their security is?
Is that not a big plus to say to your customers?
Their silence is very telling.
Running my code i have never been hit by lightning - so by your logic my code keeps lightning away from me.
One has no correlation to the other.
What about that issue raised by pertr in the deleted thread about privilege escalation from a teachers account to administrative?
Do you understand the huge security hole that is?
A kid gets their teachers account, goes in and uploads the javascript to elevate their privilege to administrative, creates a new teachers account, if you have hundreds of teachers you have no idea a new one was added. Now they can get admin privileges when they want. With admin privileges you can alter/change students marks, so now the student can sell marks and you have no idea they are in there. They might not do it in your class cause they know you are paying attention, but there are plenty of teachers who may not be.
You have no idea you have been compromised.
I know there are other LMS's i only want to help the open source one's be better. You can berate mine at https://sourceforge.net/projects/qstonline/
I'll stand up for mine.
By the way, i have some software to sell you, if you run it you will never be hit by lightning.
Hello again. A few points:
- Re: I would think they would only be too happy to extol how good their security is? Is that not a big plus to say to your customers?
- Everyone is welcome to discuss security on here but remember to adhere to our Security policy and responsible disclosure.
- The issue you mentioned about teachers - I am mentioning it here since it is public - is related to MDL-76743. Again, I'm not a developer but it is much more nuanced than has been implied; hence the challenges resolving it.
It's Easter weekend for many in Moodle HQ - and I'm about to go off and spend time with my grandaughter, so just a polite reminder to all about our Forums code of conduct and our Site policy. Thanks!
But that is just the issue, i am a developer (for many, many, many decades, more so than anyone at moodle hq including mr. moodle) and i read petr's thread before it was deleted and the tracker you are saying is related is not. This is not a complex issue to me.
There is no mention of privilege escalation in there that i can find? If you want to point it out to me that would be great.
No hurry, after you visit your granddaughter is fine.
No hurry, after you visit your granddaughter is fine.
Also, nowhere in all that moodle ramble does it say moodle is secure.
You may want to go here moodle.org/mod/forum/discuss.php?d=457050 and see the following attached to it.
Hi there,
I have moodle 4.1.6 running on Ubuntu 22.04. Everything seems fine and it has gone for VAPT auditing and there they have flagged https://mysite.com/lib/requirejs/1702641343/.htaccess is throwing some random page which they are saying is leaking sensitive information.
If I type https://mysite.com/lib/requirejs.php it says "Invalid request" but when I add https://mysite.com/lib/requirejs.php/1702641343/.htaccess the page is being displayed.
One strange thing I found is even if I type any random value after requirejs.php/123231432/ I still get that page.
I don't want to expose that page. Any help on this would be of great help.
Things I have tried: Gave restricted permissions to this file but main page seems irresponsive. Tried restricting it with .htaccess but no help.
I have moodle 4.1.6 running on Ubuntu 22.04. Everything seems fine and it has gone for VAPT auditing and there they have flagged https://mysite.com/lib/requirejs/1702641343/.htaccess is throwing some random page which they are saying is leaking sensitive information.
If I type https://mysite.com/lib/requirejs.php it says "Invalid request" but when I add https://mysite.com/lib/requirejs.php/1702641343/.htaccess the page is being displayed.
One strange thing I found is even if I type any random value after requirejs.php/123231432/ I still get that page.
I don't want to expose that page. Any help on this would be of great help.
Things I have tried: Gave restricted permissions to this file but main page seems irresponsive. Tried restricting it with .htaccess but no help.
Does the same on moodle.org i noted also.
@QST Support
I shouldn't respond cause am not a moodle security expert, but ...
Am confused ... you say that javascript displays an .htaccess file?
In moodle4x code acquired by git:
find ./moodle4?/ -name .htaccess
Returns nothing found.
Not even an example htaccess.txt file:
find ./moodle4?/ -name htaccess.txt
returns nothing found.
There is an .htaccess file once moodle is installed in moodledata directory
and it contains:
"deny from all
AllowOverride None
Note: this file is broken intentionally, we do not want anybody to undo it in subdirectory!"
It is there to protect users who host with providers that have one-click installers
and those one-click installers place moodledata directory inside moodle code.
Something Moodle doesn't recommend users do.
I too get a bunch of junk using the url you provided on one of my 4.x sites - which doesn't have any .htaccess flies cept the one in moodledata ... but can't get a really important file like config.php of site - try that one and I get 'Invalid Request'. Nor can I try relative addressing to get a peak at anything in moodledata.
But maybe am just too ignorant of the ramifications.
Now if I saw many of those request I might consider installing something that would take care of it or even block that IP address or range of IP addresses at the network layer.
If I wasn't a long time user of Moodle (am 76 years of life experiences), think I'd be concerned ... especially if I was 'shopping' for software for online instruction ... which QST is/does ... but only for Quiz/Survey/Test. Interesting ... is 100% perl based. Hmmmmmm ....
'SoS', Ken
I shouldn't respond cause am not a moodle security expert, but ...
Am confused ... you say that javascript displays an .htaccess file?
In moodle4x code acquired by git:
find ./moodle4?/ -name .htaccess
Returns nothing found.
Not even an example htaccess.txt file:
find ./moodle4?/ -name htaccess.txt
returns nothing found.
There is an .htaccess file once moodle is installed in moodledata directory
and it contains:
"deny from all
AllowOverride None
Note: this file is broken intentionally, we do not want anybody to undo it in subdirectory!"
It is there to protect users who host with providers that have one-click installers
and those one-click installers place moodledata directory inside moodle code.
Something Moodle doesn't recommend users do.
I too get a bunch of junk using the url you provided on one of my 4.x sites - which doesn't have any .htaccess flies cept the one in moodledata ... but can't get a really important file like config.php of site - try that one and I get 'Invalid Request'. Nor can I try relative addressing to get a peak at anything in moodledata.
But maybe am just too ignorant of the ramifications.
Now if I saw many of those request I might consider installing something that would take care of it or even block that IP address or range of IP addresses at the network layer.
If I wasn't a long time user of Moodle (am 76 years of life experiences), think I'd be concerned ... especially if I was 'shopping' for software for online instruction ... which QST is/does ... but only for Quiz/Survey/Test. Interesting ... is 100% perl based. Hmmmmmm ....
'SoS', Ken
Yes, QST is actually modperl, an important distinction because the modperl interpreter is loaded into apache at run time.
QST was written for a specific purpose, vs moodle which is much more general.
It's the difference between a delivery van and a sports car.
QST is the sports car written to do large scale quizzing and testing on minimal hardware (we wrote it with third world countries in mind, where they do not have access to unlimited computer hardware). It's code is optimized for that along with the database. And the biggest point, it runs well on windows, so most can easily run it.
Moodle is covering the whole gamut so is not optimized for any particular thing so more the delivery van approach.
Your delivery van is never going to perform like that sports car, but your sports car will not fit that refrigerator in to move it to your mothers house.
That php's motto is "add more hardware" adds to the whole inability of third world countries being able to run the software.
We intentionally wrote the converter to change QTI questions into Moodle XML as we keep track of all the LMS's and quizzing software and saw there was a need for users to be able to move their questions from platform to platform.
Moodle is a partner of QTI which makes it even stranger that they do not follow the "standard".
Unlike the others here you actually tried it on other files, i do not run moodle and was wondering about that.
Oh well, one day i will read through all that moodle code (i saw someone mentioned it was about 800,000 lines, mine is about 80,000 only ten times more) and find that bug that petr posted and post it back here. You can only add so much to quizzing/testing software, and we are not the least bit interested in who made the question, nor what version it is, nor all the other extra stuff moodle has added which from what i can infer from the people i correspond with (in especially k-12 never mind the universities) do not care about.
People are looking for secure software and moodle's unwillingness to state that is to their own detriment.
QST was written for a specific purpose, vs moodle which is much more general.
It's the difference between a delivery van and a sports car.
QST is the sports car written to do large scale quizzing and testing on minimal hardware (we wrote it with third world countries in mind, where they do not have access to unlimited computer hardware). It's code is optimized for that along with the database. And the biggest point, it runs well on windows, so most can easily run it.
Moodle is covering the whole gamut so is not optimized for any particular thing so more the delivery van approach.
Your delivery van is never going to perform like that sports car, but your sports car will not fit that refrigerator in to move it to your mothers house.
That php's motto is "add more hardware" adds to the whole inability of third world countries being able to run the software.
We intentionally wrote the converter to change QTI questions into Moodle XML as we keep track of all the LMS's and quizzing software and saw there was a need for users to be able to move their questions from platform to platform.
Moodle is a partner of QTI which makes it even stranger that they do not follow the "standard".
Unlike the others here you actually tried it on other files, i do not run moodle and was wondering about that.
Oh well, one day i will read through all that moodle code (i saw someone mentioned it was about 800,000 lines, mine is about 80,000 only ten times more) and find that bug that petr posted and post it back here. You can only add so much to quizzing/testing software, and we are not the least bit interested in who made the question, nor what version it is, nor all the other extra stuff moodle has added which from what i can infer from the people i correspond with (in especially k-12 never mind the universities) do not care about.
People are looking for secure software and moodle's unwillingness to state that is to their own detriment.
I am retired and QST is my retirement activity and i have a LOT of time.
(Edited by Mary Cooch to remove insulting comments- original submission Monday, 1 April 2024, 4:33 AM)
AL Rachels finally admitted in the other thread that there was a thread by petr that they now say is hidden and if i am so smart i can figure it out.
Ha, ha.
Ha, ha.
Kindergarden thinking.
Thanks for that.
A real honest way to run your business.
Thanks for that.
A real honest way to run your business.
Now i can report to reddit moodle it has been confirmed.
While I have mostly enjoyed reading your forum entries, you've made multiple assumptions here.
I do not work for Moodle HQ so it is only me saying I saw the thread at one time, not anyone from Moodle HQ has said anything yet that I have read. Following the link I have just reports the thread is hidden.
I never went to kindergarten so do not have experience with that level of thinking.
Since no one from Moodle HQ has confirmed or denied anything, it would be jumping the gun, to go and report something on Reddit that is not proven.
I do not work for Moodle HQ so it is only me saying I saw the thread at one time, not anyone from Moodle HQ has said anything yet that I have read. Following the link I have just reports the thread is hidden.
I never went to kindergarten so do not have experience with that level of thinking.
Since no one from Moodle HQ has confirmed or denied anything, it would be jumping the gun, to go and report something on Reddit that is not proven.
I did not say you work for moodle hq.
Reading comprehension is a big part of understanding, maybe kindergarten would have helped you in that aspect.
No one from moodle hq will say anything, that is the issue.
Their silence on it is incriminating.
If the way they respond to security issues is to cover them up, then they do a great disrespect to the open source movement and those of us that write open source software.
If this is such a big issue that they could not fix it in 1 year (as petr alluded to) then this is something major.
But hey, moodle is in charge of their reputation and now i know why a couple of universities i worked for ran Blackboard instead of moodle (I was an oracle database administrator/analyst at that time and we had to run oracle rac (which is not cheap as the database for it) to get good response times.
Reading comprehension is a big part of understanding, maybe kindergarten would have helped you in that aspect.
No one from moodle hq will say anything, that is the issue.
Their silence on it is incriminating.
If the way they respond to security issues is to cover them up, then they do a great disrespect to the open source movement and those of us that write open source software.
If this is such a big issue that they could not fix it in 1 year (as petr alluded to) then this is something major.
But hey, moodle is in charge of their reputation and now i know why a couple of universities i worked for ran Blackboard instead of moodle (I was an oracle database administrator/analyst at that time and we had to run oracle rac (which is not cheap as the database for it) to get good response times.
Hello all. Bringing this discussion to a close now, just to say that Al was indeed correct that the original thread by Petr was hidden not deleted. Posts by fake accounts are indeed removed but discussions by genuine participants which go off topic or become contentious are moved to a hidden 'Removed discussions' forum,. We always keep the information for future reference. After review, that discussion thread is no longer hidden, although posts by an obvious fake account were removed.