Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72773

Remove non admin user context tools and links from admin folder (security)

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 3.11.3
    • None
    • Administration
    • MOODLE_311_STABLE

    Description

      Our campus security team started to block public internet access to the Moodle /admin/* folder, recently, as we are constantly being attacked and scanned by malicious hackers, and this folder seem to be more sensitive and popular to attacks/scans then other folders.

      The admin folder is available to admins using a VPN or using an on-premise workstation.

      We found out that several tools and action (links) in the admin folder are used by regular users (teachers and managers) and we are excluding them from the WAF filtering.

      • admin/tool/mobile/autologin.php
      • admin/tool/dataprivacy/summary.php
      • admin/tool/lp/coursecompetencies.php
      • admin/tool/policy/index.php
      • admin/roles
      • admin/tool/recyclebin
      • admin/oauth2callback.php

      I am suggesting some refactoring for the above tools and links, so they can be accessed easily by non admin users, with the ability for a "simple" block the admin folder/* with a WAF that does not need complicated exclusion rules.

      And make admin folder exclusively related to admin actions and tools, which will make an easy management of security rules on any Moodle system behind a WAF.

      I tagged this issue as "minor security issue", as I did not find any other relevant tag.

      Attachments

        Activity

          People

            Unassigned Unassigned
            nadavkav Nadav Kavalerchik
            Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: