Moodle security is a major concern to everyone that uses this open source online Learning Management Software. Like all other web application software, it tends to be complex and each feature may be prone to security attacks in the future or from time to time with a combination of strings that the programmers had not anticipated.
Below are some of the simple to complex security threats and measures that every site developer should put in place to ensure that the site is not compromised.
Moodle Security – Overview
Simple Security Initiatives
- No matter how secure a site may be, it might be prone to attacks and security threats. The best security strategy would be to anticipate such a scenario. Should there be an attack that wipes out all the data, the one should have backup and restoration procedures for the site.
- It is also important to run regular software updates from Moodle.com. Most of them are Moodle security updates on similar or anticipated attacks on the software. Crackers attention is attracted by published security loopholes, thus, older versions may become vulnerable to such threats.
Moreover, one should ensure that the operating software is regularly updated. One could run automated updates or scheduled script to check for any updates on both the software and operating system.
- Production servers should have a security model of different layers. This makes hacking difficult. The organization should enforce a security policy on all its sites to ensure maximum protection. The same should be extended to the password policy. A strong password policy in terms of complexity, characters and history prevents the basic method of hacking accounts.
Administrator and teacher passwords should be given to trusted users. Free teacher accounts might open some avenue for large amount of data to be abused or stolen.
- Where an organization uses different systems for different tasks, it is always advisable to separate the systems in terms of their security configurations and passwords. These safeguards against widespread security attacks in the whole system.
- All unused network ports and services should be disabled. It is easier for attacks to be launched on the two areas. One may use netstat tool to review open network ports and disable them. Furthermore, experts advise for organizations to invest in two firewall systems to increase site security. One may receive Moodle security updates by registering the site at Moodle.com and joining the mailing lists. One may also get important updates through RSS Feeds from Moodle.com
Moodle is basically more secure than most proprietary software in several fronts. First, the ability to enforce password complexity and expiration and its support for SSL enables the administrators ensure that users have strong passwords. Secondly, its source can be reviewed for security issues. One is only able to review the source code of proprietary software depending on what the vendor says.
Unfortunately many of them would give promises that they do not deliver. Since Moodle is by large extent open source software, many experts may look at the code and give their input in making Moodle security stronger.
Some Security Vulnerabilities
Some of the major attacks on Moodle sites include session attacks, authentication hijacks, attacks on denial of service and cross site scripting. Over time Moodle has been unable to enforce https on the entire site. However, with the security updates and use of LDAP (Lightweight Directory Access Protocol) for authentication, SSL enforcement is now possible. For high security, one could contact other 3rd Party full code level security audit such as SpikeSource to scrutinize all applications that one is considering on their site.
Some of the recently published security announcements include:
a) Cross site scripting was found to be possible with the Flowplayer. This affected earlier versions of 2.4 to 2.4.8, 2.5 to 2.5.4 and 2.6 to 2.6.1. a Flowplayer upgrade was able to solve the Moodle security issue.
b) There was incorrect filtering of question strings possibly allowing cross site scripting. This also affected the above Moodle versions. Moodle security upgrade was able to fix later versions of the above i.e. 2.5.5 and 2.6.2
c) There was also the possibility of authenticated users to toggle the visibility of other user badges. This issue affected software version 2.5.5 and 2.6.1. This was resolved in versions 2.6.2 and 2.5.2
d) There was user information and identity leak for forum and question users. Ideally, settings are supposed to prevent users from seeing other user email addresses. This issue affected version 2.4 to 2.4.8, 2.5 to 2.5.4 and 2.6. to 2.6.1 and the earlier versions. This issue was fixed in all the later versions.
e) There was missing access to Wiki pages, allowing students to view other students’ individual wikis through recent activity block. This issue also affected the above software versions. An upgrade to later versions solved the issue.
f) It was possible for users to start Facebook activity when such activity was supposed to have been closed. Dates for feedback availability were thus not honoured.
g) There was a cross site request forgery in User, Profile and index PHP for versions 2.2.11, 2.4.x and before and 2.6.x and before that allowed remote hijackers to hijack administrator authentication requests that deleted the above fields. Later versions fixed the above issue.
Other Moodle Security Recommendations
1. When creating new accounts at Moodle, it is advisable to use captcha to ensure that only humans create new profiles not spam bots.
2. Assign different permissions to different files to maximise on their security. This is dependent on the importance of the file. It is also important to create custom roles so as to control who accesses what in the site.
3. It is important to schedule regular antivirus scans on the system to identify Moodle security threats that have been introduced to the system and deal with them promptly.
4. It is important to have log analysis tools to monitor operating system logs, web server logs, user logs, firewall logs and PHP logs. This helps notice hijack attempts on the system.
In summary, to ensure high Moodle security, the site administrator should combine best site practices, invest in good hardware and software and keep the Moodle software up to date.