Moodle Blog

Is your Moodle safe? (Part 2)

moodle dataI was perusing the General Problems forum of Moodle dot org today when I chanced upon a South American Moodler with a photo problem: his images were not displaying as Moodle didn’t seem to be using the file path he expected it to. However, far more disturbing than his getting the Big Red X was the fact  that, within 2 minutes I could look at (or download) any of his images, his podcasts, his Word  documents and slideshows – or had I wished, whole courses protected with an enrollment key on a password access only Moodle. So no – this was not another example of the dangers of  of email-based self registration (as in Part 1) Rather: it was the worryingly common issue of allowing your Moodle file storage directory (often called moodledata or uploaddata) to reside inside your root (often ‘www’) directory. What does that mean? It means that if your site is mymoodle site dot com and you keep your files in moodledata then all anyone needs to do is type in mymoodle site dot com slash moodledata …. and you’re in. And so, sadly, is everyone else. The answer? Make sure this folder is outside of the root directory or at the very least, protect it by an .htaccess file. The relevant Moodle docs are here.     Moodle maverick Steve Hyndman talks in greater length here. Is your Moodle safe?  Test it and find out – before someone else does….

Dieser Beitrag wurde am Friday, 08. August 2008 um 21:36 Uhr veröffentlicht und wurde unter der Kategorie Moodle abgelegt. Du kannst die Kommentare zu diesen Eintrag durch den RSS-Feed verfolgen. Du hast die Möglichkeit einen Kommentar zu hinterlassen, oder einen Trackback von deinem Weblog zu senden.

«  –  »


  1. As usual – all very good points. Having just installed a new Moodle last night the installation instructions are particularly clear. They make these exact points.

    I think the problem lies in that whilst many teachers installing Moodle do have extensive capabilities, the ability to add directories, set permissions etc. outside of the usual website directory can be complex. As Moodle has gained traction, it moves beyond the ‘geeky early adopters’ (myself included 😉 ) to the more mainstream teachers. By this I mean those whose primary focus is on learning and teaching and whom don’t necessarily have the technical competence or (more likely) confidence.

    I think there are two things that Moodle could do to improve the situation. Firstly the ‘moodledocs’ could be a random directory that is set when the first installation takes place. Currently you can call it what you like, as long as you tell the Moodle installation. Secondly, there needs to be some form of notification, a bit like when you are asked to register your Moodle. With my Invision Boards, if you leave something open to others, such as the installer script, it reminds you with a seriously large banner warning across your admin panel. If such a thing was also included – perhaps via an automated test to identify the correct permissions on the moodledocs folder – then this issue could be avoided.

    In short though, this is really a web adminstration issue. Something that a good webmaster will ensure is taken care of. This issue does highlight both the strength and weakness of Moodle. Those who sell their commercial products against Moodle could identify this as an issue – an indication of why Moodle is ‘dangerous’ in the wrong hands. Clearly, it isn’t but it is yet another reminder that Moodle isn’t free, but instead a VLE where the costs are transferred.

    Comment: Andrew Field – 08. August 2008 @ 10:02 pm

  2. Note that all current versions of Moodle will in fact warn you if the data directory is located wrongly within the web directory (on installation AND later on the admin page).

    However no piece of software can absolutely prevent people installing things wrongly if they really want to.

    Comment: Anonymous – 10. August 2008 @ 1:27 am

  3. Is that so Anonymous? Hummm…maybe you should view the video at the following address.

    Comment: Steve – 18. August 2008 @ 1:47 pm

Leave a comment


The Blog Posts

Search the blog



WP-Design: Vlad -- Powered by WordPress -- XHTML 1.0