Moodle Security FAQ <><><><><><><><><> Contents: 1. How do I report a security issue? 2. How can I keep my site secure? 3.

How do I keep track of recent security issues? 4. Who is able to view security issues in the Tracker? 5. Which versions of Moodle are supported? 6. My site was hacked. What do I do? 7. How can I reduce spam in Moodle? 8. How can I increase privacy in Moodle? 9. How do I enable reCAPTCHA? 10. How can I run the security overview report? 11. How can I enable password salting? 12. What if I lose my password salt? 13. See also <><><><><><><><><> How do I report a security issue? # Please create a new issue in the Moodle Tracker describing the problem in deta il. (You'll need a tracker account in order to create a new issue.) Set the secu rity level to "Serious security issue", then only the security team (led by Petr Skoda) and yourself as the reporter will be able to view it. Previously fixed security issues are listed in the Moodle.org Security news. If you are unsure whether a problem has been fixed or not, it's best to report it a nyway. * * * How can I keep my site secure? # It's good practice to always use the latest stable release of the version you are using. It is very safe to upgrade from 1.9.6 to 1.9.7+, for example, at any time. CVS is a very easy way to do this. * * * How do I keep track of recent security issues? # Register your Moodle sites with moodle.org (visit admin/index.php in your inst allation to see the registration button), making sure to enable the option of be ing notified about security issues and updates. After your registration is accep ted, your email address will be automatically added to our low-volume securityal erts mailing list. Eventually, all important security issues are published to the general public vi a the Moodle Security forum. You can subscribe to the forum RSS feed to automati cally add new issues in your favourite feed reader or portal. You can also follo w moodlesecurity on Twitter. * * * Who is able to view security issues in the Tracker? # Depending upon the security level of a Tracker issue, access is restricted to developers, testers or members of the security team. If you wish to find out which files have been changed and what lines of code hav e been added/amended for a particular security issue you can search cvs for the issue number. However, please note that the recent security fixes for 1.9.7 and 1.8.11 would be extremely complex to back-port to 1.9.6 or 1.8.10 and virtually impossible to back-port to earlier versions. Thus, upgrading is really the recom mended solution. * * * Which versions of Moodle are supported? # As stated on download.moodle.org, Moodle 1.8 and 1.9 are supported. If you're still using 1.6 or 1.7 then upgrading is highly recommended. The latest development branch of Moodle is not intended for production use and w hile security problems are fixed, security announcements are not issued. If you are using the development branch for testing or evaluation, we assume that you w ill update your code regularly. Our security officer Petr Skoda oversees the security of the code found in the s

tandard Moodle distribution. The security of contributed code lies with the indi vidual maintainers. * * * My site was hacked. What do I do? # See: Hacked site recovery. * * * How can I reduce spam in Moodle? # See: Reducing spam in Moodle. * * * How can I increase privacy in Moodle? # See: Increasing privacy in Moodle. * * * How do I enable reCAPTCHA? # To add spam protection to the Email-based self-registration new account form w ith a CAPTCHA element: 1) Obtain a reCAPTCHA key from http://recaptcha.net by signing up for an account (free) then entering a domain. 2) Copy and paste the public and private keys provided into the ''recaptchapubli ckey'' and ''recaptchaprivatekey'' fields in the manage authentication common se ttings in Administration --> Users --> Authentication --> Manage authentication. 3) Click the "Save changes" button at the bottom of the page. 4) Follow the settings link for email-based self-registration in Administration --> Users --> Authentication --> Manage authentication and enable the reCAPTCHA element. 5) Click the "Save changes" button at the bottom of the page. * * * How can I run the security overview report? # To run the new security overview report, you need to be using Moodle 1.8.9 or 1.9.4. The report can be accessed via Administration --> Reports --> Security ov erview. * * * How can I enable password salting? # Moodle stores passwords as md5 strings. Password salting adds information to t hese strings to make them practically impossible to reverse. See: ''Password sal ting'' for details of how to enable this feature. * * * What if I lose my password salt? # If you lose your password salt, then you and all other site users will have to go through password recovery to reset your passwords. To prevent this situation from occuring, you should keep a note of your password salt somewhere other tha n config.php. * * * See also # Using Moodle Security and Privacy forum. Using Moodle forum discussions: - Trojan: JS Type Obfuscation Exploits