Free Technology Tutorials

Sad…

Moodle, the open source learning management system, has been plagued with major security and privacy vulnerabilities over the past couple of years with the severity of those issues seeming to be on a sharp upward trajectory. Information about another batch of very serious security and privacy issues was released yesterday (Saturday, 27 March 2010) with notice that everyone needed to upgrade.

Understand…these issues weren’t discovered yesterday…they have been in your codebase for a very long time…they were simply released yesterday to a select few people.

The details of those security and privacy vulnerabilities were sent out to a mailing list on Saturday to every hacker in the world who has bothered to subscribe to the list…subscription to this “advanced notice” list is as simple as pushing one button with no verification of identity required. Ironically, if you look at the release notice for Moodle 1.9.8, this is what you see about the security issues:

The irony?:

1. The details of these very serious issues have already been emailed out to every hacker subscribed to that list by the Moodle lead developer himself. On Monday morning, Moodle admins (who happen to be subscribed to this list) will discover what hackers have known since at least Saturday and probably much longer.

2. By Moodle’s own figures, only 0.001666% of its users are actually subscribed to this security list–of course, they have no way of knowing how many of those actual subscribers are not Moodle admins at all, but are would-be hackers waiting for their “advanced notice”.

“The software is used by 27 million people worldwide, but only 45,000 are officially registered, so it is difficult for Moodle.com to alert everyone.”

Source: http://www.tes.co.uk/article.aspx?storycode=6008670

3. By Moodle’s own figures, that means over 99% of the users have not been notified by this “advanced” notification system.

4. The notice was send out yesterday and it is already posted all over the web–of course, none of the places where it is posted are places Moodle users would be visiting…one, of many: http://pastebin.com/gQyWEszM You can Google for others…

If you are using Moodle in any kind of real-world situation, then you should be very concerned not only about the recent flurry of major security issues plaguing the software, but also about the way official notice is being sent out to hackers while the user-base at large is kept in the dark.

As I’ve said before, it’s my belief that at the same time these issues are sent out to that list, they should also be plastered across the moodle.org homepage and posted to every moodle blog, website, twitter account, etc., to give everyone a fighting chance of defending their sites against would-be hackers.

Just the opinion of one informed user who is not affiliated with Moodle.

In the following videos I demonstrate a simple technique to change the color scheme of the WordPress Arjuna theme using Gimp–free image editing software. The technique I show here can be used on any image-based theme and shows a real simple technique using layers, color, and opacity to change the overall theme color scheme.

Part 1 of 2:

Part 2 of 2:

Moodle should make my life easier, not harder. I do appreciate what it allows me to do—post course content without having to fashion an entire course web page on my own, include RSS feeds from other sources, have one central location for grades and hand-ins and such—but I feel that sometimes it is more lacking for power users than for beginners. Good software should accomodate beginners, advanced beginners, power users, and experts equally well, and in this sense Moodle fails.

Source: http://acdalal.wordpress.com/2010/01/11/my-moodle-wish-list/

A very good summary. Moodle is good for beginners who really only need a place to upload some docs, have an online gradebook–if they can figure out how to use it–, and allow students to upload assignments. It does have those features and a few others–essentially the same features it had 5/6-years ago. Hard to believe? Download and install Moodle version 1.5 and look at what it had in 2004/2005 vs what it has today.

http://download.moodle.org/stable15

All the core features are pretty much the same…could explain a lot of the frustrations felt by power users. Yea, Moodle is cheaper than Blackboard, like a Mule is cheaper than a Mercedes. Until, of course, the vet bills (1, 2, 3, etc…) start coming in…then the cost of the Mercedes doesn’t seem so high and it’s a heck of a lot nicer ride without leaving a trail of manure behind it

Of course, Moodle 2.0 has been in the works for about 2 years now and promises to deliver a revolution to the LMS world once released. Moodle.com has opted out of the Google summer of code this year because 2.0 development demands all their time/energy. So, who knows, maybe 2.0 is what power users like the one quoted above have been waiting for…we’ll see.

WordPress 2.9.2 was just released and addresses a bug where logged in users can see trashed posts belonging to other authors. So, if you have sensitive files in the trash and multiple user accounts on your site, you should probably upgrade soon.

Are you getting bombarded with SPAM accounts being created on your WordPress blog? Well, there are several techniques to find and remove them, the more complicated involves creating and executing queries in the database, but one simple technique is available right in the WordPress admin. This video illustrates a simple technique for finding and deleting SPAM accounts from your WordPress blog.

It’s no secret that Moodle, the open-source learning management system, has suffered from some very serious security problems recently. And those security problems aren’t limited to individuals who simply buy a cheap, $5 hosting account, install Moodle using Fantastico, and try to set up an online class when they really don’t know what they’re doing.

In fact, some of the biggest Moodle security problems have impacted customers of some of the largest professional Moodle hosting providers–Moodle Partners–commercial companies endorsed and certified by Moodle to provide professional, enterprise-level services.

One example of this is the Moodle porn spam issue that impacted millions of Moodle sites all over the world–and still impacts an untold number of sites today. This issue received world-wide attention when Primary School Moodle sites, provided by a certified Moodle Partner, were found to be infested with vile pornography.

Source: Primary schools hit by porn hackers
Source: Porn infecting ‘thousands’ of e-learning (Moodle) sites

Another example is the huge security hole first reported here just a couple months ago demonstrating how any teacher on any Moodle site in the world could download the entire user database table and have access to all user information–usernames, passwords, e-mail addresses, phone numbers, etc., for every user on the Moodle site.  Professional Moodle partners all over the world got caught sleeping at the wheel…again.

Source–just one of many: Groot gat in open source e-learning cms Moodle

One would think that an open-source “community” with problems as serious as Moodle has had recently, would invite open and honest communication about its products and services, but you would be wrong.

I don’t know many things for sure, but one thing I do know is that Moodle has not seen the last of these types of problems. The closed, arrogant, intolerant, atmosphere that has been cultivated on moodle.org by the Moodle lead developer will continue to ensure that there is no shortage of people just waiting to expose the next big hole…it’s not a matter of “if” there is another big hole…it’s only a matter of “when” it will bite Moodle (ergo Moodle users) in the rear.

Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It has been edited significantly from its original form. There is no guarantee this information is accurate…use at your own risk.
—————————————————–

My WordPress blog has been hacked; or at least I think its been hacked. What do I do now?

The WordPress Exploit Scanner plugin can help detect damage so that it can be cleaned up. Other things you should do:

• Change passwords for all blog users, including your own, with a role higher than Subscriber
• If you upload files to your site via FTP, change your FTP password
• Change your web hosting control panel (such as Cpanel) password
• Completely remove all current WordPress core code and re-install the latest version of WordPress
• Make sure you are only using trusted plugins and themes–those from wordpress.org or a trusted commercial developer
• Remove all unused themes and plugins
• Make sure all of your plugins and themes are up-to-date–it’s best to install new, clean copies of each theme and plugin
• Update your security keys in wp-config.php
• Search your entire web-directory (public_html directory, not just the WP directory) to ensure no other files are infected
• Check directory and file permission on your server. Typically, directory permissions should be 755 and files should be 644, but this will depend on your particular server environment.

If all else fails, contact me and I will quote you a reasonable price for fixing your site for you…I only work on Linux systems with Cpanel, or an equivalent control panel.

In a default install of WordPress, each time you edit a post or page, WordPress will automatically save your previous posts/pages allowing the possibility of reverting to a previous version of that post or page. This is a cool feature, but it can get a little ridiculous when you have dozens of previous versions sitting below the post–and taking up space in your db. As you can see in the following screenshot, with just a couple of edits to this post, I’ve already racked-up 4 revisions…by the time I finish editing, I’ll probably have a dozen or so…

Each of those revisions requires a separate record in the db. So, although this is a cool feature, it can significantly add to db bloat.  If you don’t really care to have all those revisions sitting around, or if you want to limit the number, WordPress does provide an option to change the default behavior allowing you to either disable revisions completely or allowing you to limit the number of revisions saved. To make these changes you do need to edit your wp-config.php file directly…currently, there is no option for doing this in WP admin.

Disable Post Revisions

To completely disable the revisions feature, add (or if already present) edit the following code to your wp-config.php file. The word (false) disables this feature.

define('WP_POST_REVISIONS', false );

Specify the Number of Post Revisions

If you want to keep the revisions feature, but limit the number revisions saved, then use the same code as above, but change false to the number of revisions you want to keep. In the example below, WordPress will keep the latest 3 post or page revisions.

define('WP_POST_REVISIONS', 3);

WordPress version 2.9.1 was just released and should fix the annoying scheduled post problem. The problem was scheduled posts weren’t being published on some 2.9 installs — including a couple of my own installs . Instead, when you looked at the list of posts you would just see errors reading “missed schedule” or something similar. There is a way of fixing the problem by editing a core file, but no need now…just upgrade to 2.9.1 and all should be well. Remember…backup, backup, backup before pressing the upgrade button–chances are you will have no problems, but if you do, will be glad you backed up.