This video introduces you to the new user password salting feature in Moodle and demonstrates how to add this to your site. If your Moodle site is older than the date of this blog post, then chances are your passwords are not secure…this video shows you how to add password salting to significantly improve the security of your site.
In the following video, I demonstrate how to turn an average, total, or any other value into a letter grade, based on your grading scale, in your MS Excel gradebook. This is only one of many applications of these very powerful Boolean functions in Excel.
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————–
Delete Old or Unwanted Plugins — Keeps Your Site Running Well and Increases Security
Many times a plugin doesn’t fit your site or you don’t need it, but you leave it there just in case. These tend to pile up in your Administration > Plugins Panel, making your plugin list long and cumbersome to scroll through. If left there long enough, they might become obsolete with the new WordPress versions and they could get outdated and cause problems–including security vulnerabilities. Check your Plugins list often and clean out the stuff you know you won’t use.
Begin your Plugins housekeeping by visiting the plugin author’s site to see if there are instructions on how to uninstall the plugin via the Plugins panel on the left side of the screen. Some plugins require adding tags and code to your Template files while others require modification of the WordPress administration files. Be sure and read through the plugin’s uninstall instructions to remove each of these modifications so your site will not have errors when the plugin is turned off.
If no specific instructions for uninstalling exist, then read through the installation instructions to check for modifications, if applicable, and reverse their changes, if implemented. If it has been a long time since you used this plugin, you still might have left its modifications in your template files and forgotten them. Carefully remove them.
To remove a plugin, make sure the plugin is deactivated from the Administration > Plugins Panel. Then you can uninstall in that same area. For some plugins, there may be left-over files in your plugins directory even after you uninstall using the admin interface. It’s always a good idea to look in your plugins directory to ensure the plugin files are gone…if not, then delete them.
EDIT: Start of edit posted on 25 Nov 09…
Moodle releases urgent upgrade notice on Nov 25th, two weeks after this post. To upgrade your Moodle 1.9 or 1.8 branch installs, see the following information.
http://docs.moodle.org/en/Moodle_1.9.7_release_notes
http://docs.moodle.org/en/Moodle_1.8.11_release_notes
If you are among the tens of thousands of people using the 1.7 or 1.6 branches (which, as of today, are still being offered for download on moodle.org), it seems support for those branches has been discontinued and there is no fix for your sites. Upgrading is your only option.
End of edit on 25 Nov 09
——————————————————————–
The embeded video below is a short, to the point, demonstration of a very serious Moodle security/privacy vulnerability that impacts all versions of Moodle. This video is intended to simply demonstrate the exploit. For further detail on the potential extent of this exploit, read the post below this video and see the extended video linked at the bottom of this post. In my informed opinion, aside from the obvious Moodle site security and potential user identity theft issues, this exploit has significant implications on FERPA compliance for all US public education institutions using the Moodle LMS.
If you are a Moodle user at any level, but particularly if you are using Moodle in an educational institution in the US, after watching this video, you may want to have discussions with your network security, FERPA, and/or legal experts on your campus to determine how this may impact your institution and what action you may need to take.
If you are a Moodle administrator, teacher, student, or even if you have ever simply created an account on a Moodle Learning Management System (LMS) site, you need to read this post and watch the videos. It’s no secret that Moodle has suffered from some pretty serious security and user privacy issues over the past few years, but nothing before, that I am aware of comes close to the severity of the Moodle security/privacy vulnerability I discovered a few days ago. In the videos below I will demonstrate the problem and show you how you can verify the problem on your own Moodle site using nothing more than a normal teacher account. I’ll also show you how to patch the vulnerability and will discuss some important implications that you may need to consider after patching your site.
I stumbled across this problem after seeing the following exchange in the developer’s forum on moodle.org.
I spent 10 years in the 1980′s as a teletype/crypto maintenance technician and although I haven’t kept up with the field, that reply by a core Moodle developer caught my attention. Particularly the last two sentence that read:
“Something that has been encrypted can be decrypted. Something that has been hashed cannot be.”
I think most people know the first sentence is correct, but the last sentence is completely off the mark. The user passwords in Moodle are unsalted, MD5 hashes. MD5 has been proven to be breakable for years now–salted or not. A quick Google search on MD5 gives anyone all the information they need to know about the history of MD5 and its vulnerabilities. If you want to read up on it, you can start here (http://en.wikipedia.org/wiki/MD5) to get a good overview of the history and vulnerabilities and then follow dozens of other links for Brute Force MD5 cracking sites, like this one (http://gdataonline.com/seekhash.php) as well as more sophisticated methods for cracking MD5 hashes using Rainbow Tables and pre-computation methods…the later, I admit, I don’t fully understand.
So, bottom line…knowing that MD5 is no longer considered secure (and hasn’t been for a long time); and knowing that Moodle user passwords are stored in the Moodle database as simple, unsalted MD5 hashes; then seeing the post above from one of the Moodle core developers and “security experts”…I got curious. The videos below show what I found…you need to watch them.
WordPress 2.9 should be released near the end of the month and will have a few neat, new features. Below are four new features that may be of most interest to the daily user. Note, there are several others that would be of interest to developers which are not listed here.
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————–
WordPress 2.8 Database Table Overview
| WordPress 2.8 Tables (10) | ||
| Table Name | Description | Relevant Area(s) of WordPress User Interface |
| wp_comments | The comments within WordPress are stored in the wp_comments table. | Comments are created by readers as responses to posts. Comments are managed by administrator via Administration > Comments > Comments |
| wp_links | The wp_links holds information related to the links entered into the Links feature of WordPress. |
|
| wp_options | The Options set under the Administration > Settings panel are stored in the wp_options table. |
|
| wp_postmeta | Each post features information called the meta data and it is stored in the wp_postmeta. Some plugins may add their own information to this table. |
|
| wp_posts | The core of the WordPress data is the posts. It is stored in the wp_posts table. |
|
| wp_terms | The categories for both posts and links and the tags for posts are found within the wp_terms table. |
|
| wp_term_relationships | Posts are associated with categories and tags from the wp_terms table and this association is maintained in the wp_term_relationships table. The association of links to their respective categories are also kept in this table. | |
| wp_term_taxonomy | This table describes the taxonomy (category, link, or tag) for the entries in the wp_terms table. | |
| wp_usermeta | Each user features information called the meta data and it is stored in wp_usermeta. |
|
| wp_users | The list of users is maintained in table wp_users. |
|
There is a new WordPress security vulnerability that makes it very easy for anyone to launch a dos attack on your WordPress site. See the details here: http://seclists.org/fulldisclosure/2009/Oct/263
An upgraded version of WordPress was released today to address this problem; version 2.8.5.
This security vulnerability impacts ALL WordPress versions prior to today’s release, so if you are running WordPress an upgrade is a must.
See the following posts on this site for upgrade information:
Upgrade using auto-upgrade: http://educhalk.org/blog/how-to-upgrade-wordpress-27/
Upgrade using Cpanel: http://educhalk.org/blog/how-to-upgrade-wordpress-to-27-using-cpanel/
A short video demonstrating how to crop and resize and image for use on the web.
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————–
Ping
Within the WordPress interface, “ping” is sometimes used to refer to Pingbacks and Trackbacks.
In general computer terms, “ping” is a common utility used in a TCP/IP environment to determine if a given IP Address exists or is reachable. Typically, Ping is used to diagnose a network connection problem. Many times you will be asked, “Can you ping that address?”. That means, does the Ping utility return a success message trying to reach the “problem” IP Address?
Pingback
Pingback lets you notify the author of an article if you link to his article (article on a blog, of course). If the links you include in an article you write on a blog lead to a blog which is pingback-enabled, then the author of that blog gets a notification in the form of a pingback that you linked to his article.
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————–
Trackbacks in WordPress
Trackbacks were originally developed by SixApart, creators of the MovableType blog package.
In a nutshell, TrackBack was designed to provide a method of notification between websites: it is a method of person A saying to person B, “This is something you may be interested in.” To do that, person A sends a TrackBack ping to person B.
A better explanation is this:
The idea here is that more people are introduced to the conversation (both Person A’s and Person B’s readers can follow links to the other’s post), and that there is a level of authenticity to the trackback comments because they originated from another weblog. Unfortunately, there is no actual verification performed on the incoming trackback, and indeed they can even be faked.
Most trackbacks send to Person A only a small portion (called an “excerpt”) of what Person B had to say. This is meant to act as a “teaser”, letting Person A (and his readers) see some of what Person B had to say, and encouraging them all to click over to Person B’s site to read the rest (and possibly comment).
This site is optimized for display on your iPhone
A Free 159-Page WordPress Users Guide in PDF Format
Recent Comments