-
Improvement
-
Resolution: Fixed
-
Minor
-
3.11
-
MOODLE_311_STABLE
-
MOODLE_311_STABLE
-
MDL-69333-fingerprint-checks -
I've flagged this as a security issue just in case. There are bunch of ways to sniff details of a moodle to both indirectly find out its version which you can then match against CVE's if it is old. Or in some cases you can sniff some internals like db xml files.
I its easy to tell that moodle.org is on 3.9.1 as of Jul 21:
https://moodle.org/lib/upgrade.txt
Or in some cases you might have a proprietary / 3rd party plugin and you can see it's DB structure:
https://moodle.org/local/plugins/db/install.xml
I'm proposing a couple things:
1) we should check for these similar to the node and composer vendor files in the security check report. But unlike those we need to test if they are accessible, not if they exist. I actually think it is more correct to test all of them using curl and not file_exists
2) document a .htaccess file / nginx config which forbids access to these. I think shipping a .htaccess file in the root dir is probably not useful as a) won't work for nginx and b) it is likely to break existing files managed outside of git. So either something like .htaccess-dist in git, or perhaps just wiki docs
3) As we will have the check in place from 1) above, the app is aware of what paths are ok and not. There is potentially scope for a more generic single rewrite rule which then delegates to a script inside moodle which does the checks. That would be more maintainable and auto update from git as the rules improve rather than relying on admins keeping up to date with an evolving wiki doc.
ie something vaguely related to MDL-56041, we forward for example all .xml files to something like /error/check-access.php and it does the check and then serves the file or not. I'm the fence around this one.
Docs page that should get updates:
https://docs.moodle.org/39/en/Nginx
https://docs.moodle.org/39/en/Apache
https://docs.moodle.org/39/en/Internet_Information_Services
https://docs.moodle.org/39/en/Installing_Moodle#Set_up_your_server
https://docs.moodle.org/39/en/Installing_AMP
- blocks
-
MDL-69205 Adding a new Check - test https and directory slash redirects
- Development in progress
- has a non-specific relationship to
-
MDL-69958 Support /.well-known/password-change requests from password managers
- Closed
-
MDL-56041 Cleanup custom 404 page and more easily support custom 50x error pages
- Closed
- has been marked as being related by
-
MDL-82231 Public path checker should check for new UPGRADING.md files
- Closed
-
MDL-71377 Add a security check around the X-MOODLEUSER header
- Closed
- Testing discovered
-
MDL-72132 Handle files with a . inside pluginfile paths correctly
- Open