Research Report: “Investigation on Security in LMS Moodle”
The research report attached to this post was published in the “International Journal of Information Technology and Knowledge Management, January-June 2011, Volume 4, No. 1, pp. 233-238“. It covers some major security flaws in Moodle that will not surprise anyone who has been following Moodle security issues for the past few years. I no longer need to use Moodle, but for those of you who do rely on it, don’t be fooled…just because I’m no longer dedicating time and effort to publically demonstrate major security flaws in the Moodle code and design, don’t take that as a sign that those problems no longer exist! I know of at least two major security holes in the latest version of Moodle and one of them is just as bad as this one I publicized not long ago…and like that vulnerability, it has been discussed in the Moodle forums for months and has received no attention by the devs. If that security issue is not addressed in the next few months, then I may do another “open demonstration” for the public…that seems to be the only way to force action by the Moodle lead dev.
In the meantime, you may want to read this study on Moodle security. Below are some of the more interesting excerpts from the paper.
LMS Moodle has much vulnerability like authentication, availability, confidentiality and integrity attacks. So, it is necessary to develop a mechanism that defends these security flaws of LMS Moodle.
Moodle is only for IT experts. It is complex for normal users to use and more than 66% of them are teachers, researchers and administrators . It is difficult for beginner technicians to install and use Moodle , because there are many technical word lists in installation instructions.
It [Moodle] does not support the SSL implementation all over the site.
It stores the user data into cache which can be later used by the attacker to launch the attack for next session.
Brute force attack is possible on Moodle as the attacker may try different keys for several numbers of times.
We have determined following security attacks on Moodle such as session attack; design attack and user log out, session not closed. Session attack which is effective against Moodle is session hijacking. As per the concern of design attacks, Moodle is vulnerable to password prediction and user name prediction. Another, security vulnerability is that when the user logout still the session is not closed. When the user clicks on the back button then he reaches the page which was logged out earlier.
Moodle (modular object oriented dynamic learning environment) is defenseless to password prediction and username prediction.
I thought the last quote above about the modular object oriented design being “defenseless” deserves special attention. If you accept this conclusion, then what that really means is that Moodle is fatally flawed since that is the foundation of Moodle’s design–Modular Object Oriented Dynamic Learning Environment–is Moodle! So, to conclude that entire approach to LMS design is “defenseless” when it comes to security issues is quite damming.
Moodle = 1990’s Technology in 2012