Feedback | Learning the World

Mar 23 2009

Working through the Moodle 1.9.4 security report

Published by Kenneth Newquist under Moodle, Web Applications, Web Design

In 1.9.4, Moodle introduces a new security report tool which compares your Moodle roles against different security risks. My colleagues and I just spent the afternoon puzzling through the flags that 1.9.4+ raised in our test Moodle install. Unfortunately, “puzzling” is the optimum word here: we spent a big chunk of time just trying to understand what the report was trying to tell us. Here’s what I learned.

To start, you need to understand how Moodle tolerates risks based on roles (defined under “Risks” in the Moodle Docs wiki.):

Guest – only capabilities without any risks are allowed
Student – certain capabilities with spam risks are allowed
Teacher – certain capabilities with XSS and privacy risks are allowed
Administrator – all capabilities are allowed

This is important because any custom roles you’ve created are evaluated based on the legacy role that spawned them. So if you start with a student role, and give it some more advanced teacher-like options that allow XSS capabilities, then Moodle will set a critical warning flag because its exceeded the capabilities normally associated with a student.

I need to doublecheck this, but I think that if you change the legacy role associated with the custom role in question to “teacher”, then your custom capabilities will remain the same, but the report will run against the more permissive teacher role. That said, you may not want to get rid of the warnings (since it is helpful to know what a “super student” role could get themselves into) but at least this write-up should help you understand them.

I’d love to see Moodle create a more user-friendly report that says something like:

“Your role ‘Teacher Assistant’ is based on the legacy role ‘Student’. By default, students are not allowed to have capabilities that permit Cross Site Scripting (XSS), but your custom role allows the following XSS capabilities” — I’d then include a list of the problem capabilities.

You can contribute to improving the Security Report by reading/commenting on this tracker item:

MDL-18078: Provide a feedback for the admin in order to explain him/her what to do to fix the security problem rised up by the security report

No responses yet

Search for:
Archives
Categories
- Conferences & Events (7)
- News (9)
- Operating Systems (1)
- Organization (1)
- Software (11)
  - Databases (1)
    - MySQL (1)
  - Firefox (1)
- Technology (130)
  - Performance Testing (2)
  - Podcasts (17)
  - Programming (1)
    - Perl (1)
    - PHP (1)
  - Web Applications (96)
    - Drupal (10)
    - Elgg (1)
    - Google Apps (1)
    - iTunes U (8)
    - Moodle (60)
    - WordPress (21)
  - Web Design (10)
    - Accessibility (2)
    - Usability Testing (3)
- Uncategorized (17)
- NERCOMP: Moodle Interest Group (1/19/07) (4)
Tags

apple audio bug bugs ckeditor coffee break debian debugging Drupal editors education encryption galleries games hackdocfest ipod itunesu librarians libraries lms mac modules Moodle moodle19 moodlehackdoc nanogong plugins podcasting redhat scifi second life social media tinymce updates usability usability testing video virtual worlds webwork wireless WordPress WordPress Mu wordpressmu workshop WYSIWYG

Learning the World

An education tech blog by Ken Newquist

Working through the Moodle 1.9.4 security report

Recent Comments

Blogroll

Meta

Archives

Categories

Learning the World

An education tech blog by Ken Newquist

Working through the Moodle 1.9.4 security report

Recent Comments

Blogroll

Meta

Archives

Categories

Tags