Moodle Community Sites
  1. Moodle Community Sites
  2. MDLSITE-265

Add some more interesting information to the registration process...

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Component/s: moodle.org
    • Labels:
    • Environment:
      Any Moodle site being registered.

      Description

      Perhaps it would be interesting to add some more information to the registration process:

      • Some environment stuff like:

      OS version, PHP version, DB driver and version.

      • Some Moodle stuff like:

      Moodle Network enabled y/n (and number of "friend servers"), number of data and glossary (module) items, blogs...

      Hub information, if the site is running as so.

      All plugins installed (with versions). Admins could opt: All/Only core/None

      Edited: 2012-01-13 to add the hub & plugins with versions.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Eloy Lafuente (stronk7) added a comment -

            ping!

            Show
            Eloy Lafuente (stronk7) added a comment - ping!
            Hide
            Anthony Borrow added a comment -

            I mentioned this to David after receiving a Drupal security announcement for a module installed on one of my sites. I am including the text here as an example of what could be done when a security issue is identified and fixed with a Moodle Plugin. In order to generate a list of recipients, we would need to know which Addons are installed on registered sites so it seemed a good time to bring up this issue again. Peace - Anthony

            From: <security-news@drupal.org>
            Date: Feb 25, 2015 12:04 PM
            Subject: [Security-news] SA-CONTRIB-2015-053 - Entity API - Cross Site
            Scripting (XSS)
            To: <security-news@drupal.org>
            Cc:

            View online: https://www.drupal.org/node/2437905

            • Advisory ID: DRUPAL-SA-CONTRIB-2015-053
            • Project: Entity API [1] (third-party module)
            • Version: 7.x
            • Date: 2015-February-25
            • Security risk: 12/25 ( Moderately Critical)
              AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
            • Vulnerability: Cross Site Scripting

            -------- DESCRIPTION
            ---------------------------------------------------------

            The Entity API module extends the entity API of Drupal core in order to
            provide a unified way to deal with entities and their properties.

            The module doesn't sufficiently sanitize field labels when exposing them
            through the Token API thereby exposing a Cross Site Scripting (XSS)
            vulnerability.

            This vulnerability is mitigated by the fact that an attacker must have a
            role
            with the permission to administer fields such as "administer taxonomy".

            -------- CVE IDENTIFIER(S) ISSUED
            --------------------------------------------

            • /A CVE identifier [3] will be requested, and added upon issuance, in
              accordance
              with Drupal Security Team processes./

            -------- VERSIONS AFFECTED
            ---------------------------------------------------

            • Entity API 7.x-1.x versions prior to 7.x-1.6.

            Drupal core is not affected. If you do not use the contributed Entity API
            [4]
            module,
            there is nothing you need to do.

            -------- SOLUTION
            ------------------------------------------------------------

            Install the latest version:

            • If you use the Entity API module for Drupal 7.x, upgrade to Entity API
              7.x-1.6 [5]

            Also see the Entity API [6] project page.

            -------- REPORTED BY
            ---------------------------------------------------------

            • Francisco José Cruz Romanos [7]

            -------- FIXED BY
            ------------------------------------------------------------

            • Klaus Purer [8] of the Drupal Security Team
            • Francisco José Cruz Romanos [9]
            • Wolfgang Ziegler [10] the module maintainer

            -------- COORDINATED BY
            ------------------------------------------------------

            • Klaus Purer [11] of the Drupal Security Team
            • Rick Manelius [12] of the Drupal Security Team

            -------- CONTACT AND MORE INFORMATION
            ----------------------------------------

            The Drupal security team can be reached at security at drupal.org or via the
            contact form at https://www.drupal.org/contact [13].

            Learn more about the Drupal Security team and their policies [14], writing
            secure code for Drupal [15], and securing your site [16].

            Follow the Drupal Security Team on Twitter at
            https://twitter.com/drupalsecurity [17]

            [1] https://www.drupal.org/project/entity
            [2] https://www.drupal.org/security-team/risk-levels
            [3] http://cve.mitre.org/
            [4] https://www.drupal.org/project/entity
            [5] https://www.drupal.org/node/2437885
            [6] https://www.drupal.org/project/entity
            [7] https://www.drupal.org/user/848238
            [8] https://www.drupal.org/u/klausi
            [9] https://www.drupal.org/user/848238
            [10] https://www.drupal.org/user/16747
            [11] https://www.drupal.org/u/klausi
            [12] https://www.drupal.org/u/rickmanelius
            [13] https://www.drupal.org/contact
            [14] https://www.drupal.org/security-team
            [15] https://www.drupal.org/writing-secure-code
            [16] https://www.drupal.org/security/secure-configuration
            [17] https://twitter.com/drupalsecurity

            _______________________________________________
            Security-news mailing list
            Security-news@drupal.org
            Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

            Show
            Anthony Borrow added a comment - I mentioned this to David after receiving a Drupal security announcement for a module installed on one of my sites. I am including the text here as an example of what could be done when a security issue is identified and fixed with a Moodle Plugin. In order to generate a list of recipients, we would need to know which Addons are installed on registered sites so it seemed a good time to bring up this issue again. Peace - Anthony From: <security-news@drupal.org> Date: Feb 25, 2015 12:04 PM Subject: [Security-news] SA- CONTRIB-2015 -053 - Entity API - Cross Site Scripting (XSS) To: <security-news@drupal.org> Cc: View online: https://www.drupal.org/node/2437905 Advisory ID: DRUPAL-SA- CONTRIB-2015 -053 Project: Entity API [1] (third-party module) Version: 7.x Date: 2015-February-25 Security risk: 12/25 ( Moderately Critical) AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer fields such as "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- Entity API 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Entity API [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.6 [5] Also see the Entity API [6] project page. -------- REPORTED BY --------------------------------------------------------- Francisco José Cruz Romanos [7] -------- FIXED BY ------------------------------------------------------------ Klaus Purer [8] of the Drupal Security Team Francisco José Cruz Romanos [9] Wolfgang Ziegler [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ Klaus Purer [11] of the Drupal Security Team Rick Manelius [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13] . Learn more about the Drupal Security team and their policies [14] , writing secure code for Drupal [15] , and securing your site [16] . Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/entity [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/entity [5] https://www.drupal.org/node/2437885 [6] https://www.drupal.org/project/entity [7] https://www.drupal.org/user/848238 [8] https://www.drupal.org/u/klausi [9] https://www.drupal.org/user/848238 [10] https://www.drupal.org/user/16747 [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/u/rickmanelius [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news@drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
            Hide
            Helen Foster added a comment -

            Thanks Anthony for your comment. It would indeed be very useful to have data on plugins installed on registered sites.

            I imagine a change in core Moodle code is required, and as we have a similar MDL issue for this (MDL-18578), I'm going to close this issue so we can focus on MDL-18578.

            Show
            Helen Foster added a comment - Thanks Anthony for your comment. It would indeed be very useful to have data on plugins installed on registered sites. I imagine a change in core Moodle code is required, and as we have a similar MDL issue for this ( MDL-18578 ), I'm going to close this issue so we can focus on MDL-18578 .

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development