Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72773

Remove non admin user context tools and links from admin folder (security)



    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 3.11.3
    • None
    • Administration


      Our campus security team started to block public internet access to the Moodle /admin/* folder, recently, as we are constantly being attacked and scanned by malicious hackers, and this folder seem to be more sensitive and popular to attacks/scans then other folders.

      The admin folder is available to admins using a VPN or using an on-premise workstation.

      We found out that several tools and action (links) in the admin folder are used by regular users (teachers and managers) and we are excluding them from the WAF filtering.

      • admin/tool/mobile/autologin.php
      • admin/tool/dataprivacy/summary.php
      • admin/tool/lp/coursecompetencies.php
      • admin/tool/policy/index.php
      • admin/roles
      • admin/tool/recyclebin
      • admin/oauth2callback.php

      I am suggesting some refactoring for the above tools and links, so they can be accessed easily by non admin users, with the ability for a "simple" block the admin folder/* with a WAF that does not need complicated exclusion rules.

      And make admin folder exclusively related to admin actions and tools, which will make an easy management of security rules on any Moodle system behind a WAF.

      I tagged this issue as "minor security issue", as I did not find any other relevant tag.




            Unassigned Unassigned
            nadavkav Nadav Kavalerchik
            Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            0 Vote for this issue
            2 Start watching this issue