Uploaded image for project: 'Moodle Community Sites'
  1. Moodle Community Sites
  2. MDLSITE-265

Add some more interesting information to the registration process...

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: moodle.org
    • Labels:
    • Environment:
      Any Moodle site being registered.

      Description

      Perhaps it would be interesting to add some more information to the registration process:

      • Some environment stuff like:

      OS version, PHP version, DB driver and version.

      • Some Moodle stuff like:

      Moodle Network enabled y/n (and number of "friend servers"), number of data and glossary (module) items, blogs...

      Hub information, if the site is running as so.

      All plugins installed (with versions). Admins could opt: All/Only core/None

      Edited: 2012-01-13 to add the hub & plugins with versions.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              stronk7 Eloy Lafuente (stronk7) added a comment -

              ping!

              Show
              stronk7 Eloy Lafuente (stronk7) added a comment - ping!
              Hide
              aborrow Anthony Borrow added a comment -

              I mentioned this to David after receiving a Drupal security announcement for a module installed on one of my sites. I am including the text here as an example of what could be done when a security issue is identified and fixed with a Moodle Plugin. In order to generate a list of recipients, we would need to know which Addons are installed on registered sites so it seemed a good time to bring up this issue again. Peace - Anthony

              From: <security-news@drupal.org>
              Date: Feb 25, 2015 12:04 PM
              Subject: [Security-news] SA-CONTRIB-2015-053 - Entity API - Cross Site
              Scripting (XSS)
              To: <security-news@drupal.org>
              Cc:

              View online: https://www.drupal.org/node/2437905

              • Advisory ID: DRUPAL-SA-CONTRIB-2015-053
              • Project: Entity API [1] (third-party module)
              • Version: 7.x
              • Date: 2015-February-25
              • Security risk: 12/25 ( Moderately Critical)
                AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
              • Vulnerability: Cross Site Scripting

              -------- DESCRIPTION
              ---------------------------------------------------------

              The Entity API module extends the entity API of Drupal core in order to
              provide a unified way to deal with entities and their properties.

              The module doesn't sufficiently sanitize field labels when exposing them
              through the Token API thereby exposing a Cross Site Scripting (XSS)
              vulnerability.

              This vulnerability is mitigated by the fact that an attacker must have a
              role
              with the permission to administer fields such as "administer taxonomy".

              -------- CVE IDENTIFIER(S) ISSUED
              --------------------------------------------

              • /A CVE identifier [3] will be requested, and added upon issuance, in
                accordance
                with Drupal Security Team processes./

              -------- VERSIONS AFFECTED
              ---------------------------------------------------

              • Entity API 7.x-1.x versions prior to 7.x-1.6.

              Drupal core is not affected. If you do not use the contributed Entity API
              [4]
              module,
              there is nothing you need to do.

              -------- SOLUTION
              ------------------------------------------------------------

              Install the latest version:

              • If you use the Entity API module for Drupal 7.x, upgrade to Entity API
                7.x-1.6 [5]

              Also see the Entity API [6] project page.

              -------- REPORTED BY
              ---------------------------------------------------------

              • Francisco José Cruz Romanos [7]

              -------- FIXED BY
              ------------------------------------------------------------

              • Klaus Purer [8] of the Drupal Security Team
              • Francisco José Cruz Romanos [9]
              • Wolfgang Ziegler [10] the module maintainer

              -------- COORDINATED BY
              ------------------------------------------------------

              • Klaus Purer [11] of the Drupal Security Team
              • Rick Manelius [12] of the Drupal Security Team

              -------- CONTACT AND MORE INFORMATION
              ----------------------------------------

              The Drupal security team can be reached at security at drupal.org or via the
              contact form at https://www.drupal.org/contact [13].

              Learn more about the Drupal Security team and their policies [14], writing
              secure code for Drupal [15], and securing your site [16].

              Follow the Drupal Security Team on Twitter at
              https://twitter.com/drupalsecurity [17]

              [1] https://www.drupal.org/project/entity
              [2] https://www.drupal.org/security-team/risk-levels
              [3] http://cve.mitre.org/
              [4] https://www.drupal.org/project/entity
              [5] https://www.drupal.org/node/2437885
              [6] https://www.drupal.org/project/entity
              [7] https://www.drupal.org/user/848238
              [8] https://www.drupal.org/u/klausi
              [9] https://www.drupal.org/user/848238
              [10] https://www.drupal.org/user/16747
              [11] https://www.drupal.org/u/klausi
              [12] https://www.drupal.org/u/rickmanelius
              [13] https://www.drupal.org/contact
              [14] https://www.drupal.org/security-team
              [15] https://www.drupal.org/writing-secure-code
              [16] https://www.drupal.org/security/secure-configuration
              [17] https://twitter.com/drupalsecurity

              _______________________________________________
              Security-news mailing list
              Security-news@drupal.org
              Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

              Show
              aborrow Anthony Borrow added a comment - I mentioned this to David after receiving a Drupal security announcement for a module installed on one of my sites. I am including the text here as an example of what could be done when a security issue is identified and fixed with a Moodle Plugin. In order to generate a list of recipients, we would need to know which Addons are installed on registered sites so it seemed a good time to bring up this issue again. Peace - Anthony From: <security-news@drupal.org> Date: Feb 25, 2015 12:04 PM Subject: [Security-news] SA- CONTRIB-2015 -053 - Entity API - Cross Site Scripting (XSS) To: <security-news@drupal.org> Cc: View online: https://www.drupal.org/node/2437905 Advisory ID: DRUPAL-SA- CONTRIB-2015 -053 Project: Entity API [1] (third-party module) Version: 7.x Date: 2015-February-25 Security risk: 12/25 ( Moderately Critical) AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer fields such as "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- Entity API 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Entity API [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.6 [5] Also see the Entity API [6] project page. -------- REPORTED BY --------------------------------------------------------- Francisco José Cruz Romanos [7] -------- FIXED BY ------------------------------------------------------------ Klaus Purer [8] of the Drupal Security Team Francisco José Cruz Romanos [9] Wolfgang Ziegler [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ Klaus Purer [11] of the Drupal Security Team Rick Manelius [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13] . Learn more about the Drupal Security team and their policies [14] , writing secure code for Drupal [15] , and securing your site [16] . Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/entity [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/entity [5] https://www.drupal.org/node/2437885 [6] https://www.drupal.org/project/entity [7] https://www.drupal.org/user/848238 [8] https://www.drupal.org/u/klausi [9] https://www.drupal.org/user/848238 [10] https://www.drupal.org/user/16747 [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/u/rickmanelius [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news@drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
              Hide
              tsala Helen Foster added a comment -

              Thanks Anthony for your comment. It would indeed be very useful to have data on plugins installed on registered sites.

              I imagine a change in core Moodle code is required, and as we have a similar MDL issue for this (MDL-18578), I'm going to close this issue so we can focus on MDL-18578.

              Show
              tsala Helen Foster added a comment - Thanks Anthony for your comment. It would indeed be very useful to have data on plugins installed on registered sites. I imagine a change in core Moodle code is required, and as we have a similar MDL issue for this ( MDL-18578 ), I'm going to close this issue so we can focus on MDL-18578 .

                People

                • Votes:
                  1 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: