Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68810

Swap various secret api keys config items from text to password fields

    XMLWordPrintable

    Details

      Description

      Another day, another pen test report. This was low priority but it was identified that a lot of admin settings for api keys and secrets don't use the password admin settings or formslib elements. A non exhaustive list includes:

      Searching for secret / key / password / phrase

      • googlemapkey3
      • recaptchaprivatekey
      • mlbackend_python | password

       

      OAuth2 issuers

      • /admin/tool/oauth2/issuers.php

       

      Repository plugins forms (almost all of them):

      • youtube
      • OneDrive
      • Amazon S3
      • Picasa
      • Dropbox
      • Flickr
      • Merlot.org 

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            brendanheywood Brendan Heywood
            Participants:
            Component watchers:
            Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: