This video introduces you to the new user password salting feature in Moodle and demonstrates how to add this to your site. If your Moodle site is older than the date of this blog post, then chances are your passwords are not secure…this video shows you how to add password salting to significantly improve the security of your site.
In the following video, I demonstrate how to turn an average, total, or any other value into a letter grade, based on your grading scale, in your MS Excel gradebook. This is only one of many applications of these very powerful Boolean functions in Excel.
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————–
Delete Old or Unwanted Plugins — Keeps Your Site Running Well and Increases Security
Many times a plugin doesn’t fit your site or you don’t need it, but you leave it there just in case. These tend to pile up in your Administration > Plugins Panel, making your plugin list long and cumbersome to scroll through. If left there long enough, they might become obsolete with the new WordPress versions and they could get outdated and cause problems–including security vulnerabilities. Check your Plugins list often and clean out the stuff you know you won’t use.
Begin your Plugins housekeeping by visiting the plugin author’s site to see if there are instructions on how to uninstall the plugin via the Plugins panel on the left side of the screen. Some plugins require adding tags and code to your Template files while others require modification of the WordPress administration files. Be sure and read through the plugin’s uninstall instructions to remove each of these modifications so your site will not have errors when the plugin is turned off.
If no specific instructions for uninstalling exist, then read through the installation instructions to check for modifications, if applicable, and reverse their changes, if implemented. If it has been a long time since you used this plugin, you still might have left its modifications in your template files and forgotten them. Carefully remove them.
To remove a plugin, make sure the plugin is deactivated from the Administration > Plugins Panel. Then you can uninstall in that same area. For some plugins, there may be left-over files in your plugins directory even after you uninstall using the admin interface. It’s always a good idea to look in your plugins directory to ensure the plugin files are gone…if not, then delete them.
If you are among the tens of thousands of people using the 1.7 or 1.6 branches (which, as of today, are still being offered for download on moodle.org), it seems support for those branches has been discontinued and there is no fix for your sites. Upgrading is your only option. End of edit on 25 Nov 09
——————————————————————–
The embeded video below is a short, to the point, demonstration of a very serious Moodle security/privacy vulnerability that impacts all versions of Moodle. This video is intended to simply demonstrate the exploit. For further detail on the potential extent of this exploit, read the post below this video and see the extended video linked at the bottom of this post. In my informed opinion, aside from the obvious Moodle site security and potential user identity theft issues, this exploit has significant implications on FERPA compliance for all US public education institutions using the Moodle LMS.
If you are a Moodle user at any level, but particularly if you are using Moodle in an educational institution in the US, after watching this video, you may want to have discussions with your network security, FERPA, and/or legal experts on your campus to determine how this may impact your institution and what action you may need to take.
If you are a Moodle administrator, teacher, student, or even if you have ever simply created an account on a Moodle Learning Management System (LMS) site, you need to read this post and watch the videos. It’s no secret that Moodle has suffered from some pretty serious security and user privacy issues over the past few years, but nothing before, that I am aware of comes close to the severity of the Moodle security/privacy vulnerability I discovered a few days ago. In the videos below I will demonstrate the problem and show you how you can verify the problem on your own Moodle site using nothing more than a normal teacher account. I’ll also show you how to patch the vulnerability and will discuss some important implications that you may need to consider after patching your site.
I stumbled across this problem after seeing the following exchange in the developer’s forum on moodle.org.
I spent 10 years in the 1980′s as a teletype/crypto maintenance technician and although I haven’t kept up with the field, that reply by a core Moodle developer caught my attention. Particularly the last two sentence that read:
“Something that has been encrypted can be decrypted. Something that has been hashed cannot be.”
I think most people know the first sentence is correct, but the last sentence is completely off the mark. The user passwords in Moodle are unsalted, MD5 hashes. MD5 has been proven to be breakable for years now–salted or not. A quick Google search on MD5 gives anyone all the information they need to know about the history of MD5 and its vulnerabilities. If you want to read up on it, you can start here (http://en.wikipedia.org/wiki/MD5) to get a good overview of the history and vulnerabilities and then follow dozens of other links for Brute Force MD5 cracking sites, like this one (http://gdataonline.com/seekhash.php) as well as more sophisticated methods for cracking MD5 hashes using Rainbow Tables and pre-computation methods…the later, I admit, I don’t fully understand.
So, bottom line…knowing that MD5 is no longer considered secure (and hasn’t been for a long time); and knowing that Moodle user passwords are stored in the Moodle database as simple, unsalted MD5 hashes; then seeing the post above from one of the Moodle core developers and “security experts”…I got curious. The videos below show what I found…you need to watch them.
WordPress 2.9 should be released near the end of the month and will have a few neat, new features. Below are four new features that may be of most interest to the daily user. Note, there are several others that would be of interest to developers which are not listed here.
Post Thumbnails: This allows you to automatically add an image to your posts. It’s the same type functionality you see in many custom themes where you can add images using “custom fields”, but this will make it a lot easier for most users.
Trash Status: A deleted items area allowing you to recover deleted posts, pages, and comments.
Basic Image Editing: You will be able to edit images in your media library. You can do basic editing like rotate, flip, resize, and crop. This will be a big plus for many users. Now if only there was a way to better organize those uploads (like the ability to create folders (directories) and subfolders) for better file management.
Media Embeds: Makes it a lot simpler to embed media into your posts and pages.
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————–
WordPress 2.8 Database Table Overview
WordPress 2.8 Tables (10)
Table Name
Description
Relevant Area(s) of WordPress User Interface
wp_comments
The comments within WordPress are stored in the wp_comments table.
Comments are created by readers as responses to posts. Comments are managed by administrator via Administration > Comments > Comments
wp_links
The wp_links holds information related to the links entered into the Links feature of WordPress.
Administration > Links > Add New
Administration > Links > Edit
wp_options
The Options set under the Administration > Settings panel are stored in the wp_options table.
Administration > Settings > General
Administration > Settings > Writing
Administration > Settings > Reading
Administration > Settings > Discussion
Administration > Settings > Privacy
Administration > Settings > Permalinks
Administration > Settings > Miscellaneous
Administration > Appearance > Widgets
wp_postmeta
Each post features information called the meta data and it is stored in the wp_postmeta. Some plugins may add their own information to this table.
Administration > Posts > Add New
Administration > Pages > Add New
wp_posts
The core of the WordPress data is the posts. It is stored in the wp_posts table.
Administration > Posts > Add New
Administration > Posts > Edit
Administration > Pages > Add New
Administration > Page > Edit
Administration > Media > Add New
Administration > Media > Library
wp_terms
The categories for both posts and links and the tags for posts are found within the wp_terms table.
Administration > Posts > Tags
Administration > Posts > Categories
Administration > Links > Link Categories
Administration > Posts > Add New
Administration > Posts > Edit
Administration > Pages > Add New
Administration > Page > Edit
wp_term_relationships
Posts are associated with categories and tags from the wp_terms table and this association is maintained in the wp_term_relationships table. The association of links to their respective categories are also kept in this table.
wp_term_taxonomy
This table describes the taxonomy (category, link, or tag) for the entries in the wp_terms table.
wp_usermeta
Each user features information called the meta data and it is stored in wp_usermeta.
Administration > Users
wp_users
The list of users is maintained in table wp_users.
There is a new WordPress security vulnerability that makes it very easy for anyone to launch a dos attack on your WordPress site. See the details here: http://seclists.org/fulldisclosure/2009/Oct/263
An upgraded version of WordPress was released today to address this problem; version 2.8.5.
This security vulnerability impacts ALL WordPress versions prior to today’s release, so if you are running WordPress an upgrade is a must.
See the following posts on this site for upgrade information:
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————– Ping
Within the WordPress interface, “ping” is sometimes used to refer to Pingbacks and Trackbacks.
In general computer terms, “ping” is a common utility used in a TCP/IP environment to determine if a given IP Address exists or is reachable. Typically, Ping is used to diagnose a network connection problem. Many times you will be asked, “Can you ping that address?”. That means, does the Ping utility return a success message trying to reach the “problem” IP Address?
Pingback
Pingback lets you notify the author of an article if you link to his article (article on a blog, of course). If the links you include in an article you write on a blog lead to a blog which is pingback-enabled, then the author of that blog gets a notification in the form of a pingback that you linked to his article.
Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————– Trackbacks in WordPress
Trackbacks were originally developed by SixApart, creators of the MovableType blog package.
In a nutshell, TrackBack was designed to provide a method of notification between websites: it is a method of person A saying to person B, “This is something you may be interested in.” To do that, person A sends a TrackBack ping to person B.
A better explanation is this:
Person A writes something on their blog.
Person B wants to comment on Person A’s blog, but wants her own readers to see what she had to say, and be able to comment on her own blog
Person B posts on her own blog and sends a trackback to Person A’s blog
Person A’s blog receives the trackback, and displays it as a comment to the original post. This comment contains a link to Person B’s post
The idea here is that more people are introduced to the conversation (both Person A’s and Person B’s readers can follow links to the other’s post), and that there is a level of authenticity to the trackback comments because they originated from another weblog. Unfortunately, there is no actual verification performed on the incoming trackback, and indeed they can even be faked.
Most trackbacks send to Person A only a small portion (called an “excerpt”) of what Person B had to say. This is meant to act as a “teaser”, letting Person A (and his readers) see some of what Person B had to say, and encouraging them all to click over to Person B’s site to read the rest (and possibly comment).
@netbuoy: Sorry...I'm still trying to figure out the interworkings of twitter. Have my blog set to auto tweet, so forgot how to login :-) in reply to netbuoy2010-05-05
Recent Comments