Moodle Blog

Is your Moodle safe? (Part 2)

Friday, 08. August 2008 von admin

moodle dataI was perusing the General Problems forum of Moodle dot org today when I chanced upon a South American Moodler with a photo problem: his images were not displaying as Moodle didn’t seem to be using the file path he expected it to. However, far more disturbing than his getting the Big Red X was the fact  that, within 2 minutes I could look at (or download) any of his images, his podcasts, his Word  documents and slideshows – or had I wished, whole courses protected with an enrollment key on a password access only Moodle. So no – this was not another example of the dangers of  of email-based self registration (as in Part 1) Rather: it was the worryingly common issue of allowing your Moodle file storage directory (often called moodledata or uploaddata) to reside inside your root (often ‘www’) directory. What does that mean? It means that if your site is mymoodle site dot com and you keep your files in moodledata then all anyone needs to do is type in mymoodle site dot com slash moodledata …. and you’re in. And so, sadly, is everyone else. The answer? Make sure this folder is outside of the root directory or at the very least, protect it by an .htaccess file. The relevant Moodle docs are here.     Moodle maverick Steve Hyndman talks in greater length here. Is your Moodle safe?  Test it and find out – before someone else does….


The Blog Posts

Search the blog



WP-Design: Vlad -- Powered by WordPress -- XHTML 1.0