After re-reading my original Moodle Tip about how to Keep Moodle Safe, I thought it might be fun to do a standard installation and explore some of the issues that arise when securing Moodle.

One of the suggestions in working with Moodle is to take a look at the Security Overview. This is a report in Moodle that appears in REPORTS->SECURITY OVERVIEW. Here’s what a screenshot of that Security Overview–with some problems–looks like:

A quick list of the problems evident:

1. Display of PHP Errors
2. Allow Embed and Object
3. Password Policy not set
4. Writable config.php file
5. XSS Trusted Users
6. Administrators

Now, Moodle provides you with some specific suggestions on how to fix these issues. I don’t consider items 2, 3, and 6 problems in this situation. Here’s why:

• Item #2: While Allowing Embed and Object enables people to embed YouTube, TeacherTube videos, etc., I can keep track of the users doing so (they are all school district employees).
• Item #3 involves the password policy not being set. It’s not an issue in my environment because I’m using Active Directory/LDAP.
• Item #6 is not a problem because I want certain people to have admin rights for the whole Moodle and I know who those are.

That leaves me with these errors and WHY these are problematic:

• Display of PHP Errors – the display of errors give away information about your server that hackers could use against you. Moodle shares this when you click on the error: Enabling the PHP setting display_errors is not recommended on production sites because error messages can reveal sensitive information about your server.
• Writable config.php file – This is the worst error listed in this Moodle installation.
• XSS Trusted Users – According to this resource, XSS is an abbreviation for Cross Site Scripting. This refers to a type of computer security vulnerability where malicious users can add carefully-constructed comments to web pages with the intention of fooling web browsers.

  This is a list of all the users in your Moodle who have rights/permissions to place content that might be “dangerous” in your Moodle site, wherever they have rights.

  When you see this, it means you need to click on the link and verify that the users listed SHOULD have the authority to embed a variety of content (e.g. multimedia, javascript, etc.). If they are admins or teachers on your Moodle, then you’re OK. However, if there is someone there you DO NOT know or trust, then you need to adjust their priviledges.

Of all the problems on this site, the worst is a writable config.php. To fix this, I “right-clicked” on the item and changed the permissions. Now, I don’t get the error.

If you know more about this, please share. In the meantime, I’m comfortable with the Moodle site reflected above.

var addthis_pub=”mguhlin”;

Subscribe to Around the Corner-MGuhlin.org

Be sure to visit the ShareMore! Wiki.

Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure