Update 11/17/2009: Moodle responds to the issue.

Update 11/15/2009: Ken shared an update on the issue as discussed in the Moodle forums, but unfortunately, I’m not sure WHERE such a solution should be applied. Any suggestions?

$CFG->passwordsaltmain = ‘very-long-as-random-as-possible-string-with-lots-of-symbols-digits-lower-upper-case-letters’;

Here’s an update from the Moodle Forum discussing “the fix:”

It can be added to site config.php but if that setting actually causes problems for taking course backups and particularly restoring backup files with salted passwords (said Petr in http://tracker.moodle.org/browse/MDL-18807 ) – because salting should be moved with backup/restore process – it might be easier to change just Password Policy – see http://moodle.org/mod/forum/discuss.php?d=137569#p601941


Thanks for Iñaki for the note – it works pretty well at least against current cracker scripts. I suppose the most important thing is to use at least one non-alphanumeric character (other than a-z & 0-9) in passwords and make sure that all current users change their old weak passwords to new strengthened ones. None of the 10 strengthened passwords (after change of Password Policy setting) that I tested with hash seek script could be cracked. (Now – but it is possible that in the near future those scripts can break all MD5 hashes)
Source: Moodle Forum postMauno Korpelainen

Ken Task shares the following Moodle security issue with Texans, and it looks pretty authentic…I haven’t had a chance to try the process outlined in the YouTube video below, but if it’s true, oh my gosh! Here’s a quick overview from the EduChalk.org blog entry:

If you are a Moodle administrator, teacher, student, or even if you have ever simply created an account on a Moodle Learning Management System (LMS) site, you need to read this post and watch the videos. It’s no secret that Moodle has suffered from some pretty serious security and user privacy issues over the past few years, but nothing before, that I am aware of comes close to the severity of the Moodle security/privacy vulnerability I discovered a few days ago. In the videos below I will demonstrate the problem and show you how you can verify the problem on your own Moodle site using nothing more than a normal teacher account.

Simply put, it shows you how to get the Moodle Admins password (in MD5 Hash encrypted) and then use a third party web site that will unencrypt the password. This means that any teacher/course creator who has rights in the system can–with malicious intent–login as admin and do whatever they want.

This affects the latest version of Moodle according to the video (1.9.6+). You can “fix” the problem by going into admin permissions on a Moodle for two roles–teacher and course creator–to PREVENT backups.

If you’ve made backups of a course with user data, you will need to get rid of those because they may share admin info, as well as confidential data.

Just saw a blog posting AND a YouTube movie demo of how a teacher or course creator in Moodle could acquire the admin password and login as the admin user.

http://educhalk.org/blog/category/moodle/

http://www.youtube.com/watch?v=F1BDHZED4yU

Fix?
http://educhalk.org/blog/wp-content/uploads/moodle_md5_hash1/moodle_md5_hash1.html

Explanation:

Teachers/Course Creators have the ability to enroll students in their course. IF they enroll the admin user (or any user they know has global admin access levels) and then backup the course, they can acquire the passwords of those users.

The “work-around” is to edit the Teacher and Course Creator role definitions and take away those role abilities to backup a course.

Very few Teachers take the time to backup their course anyway, so … If you have been using course creator account level users as Moodle server assistants, you might evaluate how trustworthy those users are.

IF one doesn’t trust ANYONE, how does one backup courses then?

There is a setting for backups in Site Admin -> Courses -> Backups in which defaults for all backups are set.  At the bottom of the form, “Save to” would allow backups to be sent to an existing directory for all backups – the full path.

IF you create a system admin category and course and assign NO users – not even yourself as the admin user or regular login account, one could point the backups to the system admin course’s data directory.

Explanation:
Create a system admin cat. and course.  Hide both the cat. and the course.  Assign NO ONE to the course.  When IN the system admin course, note the ID number and backup the course just once.  This will create a /var/www/moodledata/ID# directory.

Then, in the settings for all backups, point all backups to go to:
/var/www/moodledata/[SA_COURSE_ID#]

Since only System Admins can see the System Admin category and course, other courses can be restored by admins only.
Another question running around in my mind, is why the author didn’t share this with Martin at Moodle so they could release a fix rather than just throw it out there?


Subscribe to Around the Corner-MGuhlin.org


Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

Advertisements