As our technical team works on Moodle, we find ourselves tackling issues that may be of interest to other developers. As a part of the Moodle community and advocators of openness, we decided to share our own experiences from Moodle Dev, among other things of course! If you haven’t read our previous post, take a look at “the tale of the user with no email”!
Not the same MIME but you get the idea! [image source]
Security concerns are consistently identified as one of the top challenges for software development. Security is probably the key reason why most organisations won’t use a service provider.
Moodle already provides some security recommendations and some of the highlights from them, are the following:
- Perform regular updates of Moodle and its plugins
- Use secure socket layers https
- Establish a strict password policy for users
- Only provide accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
- Implement firewalls
- Use permission 700 on Moodle data directory and 755 on Moodle directory
- Clean user input by enabling the “forceclean” option in Moodle
In order to strengthen Moodle security even more, Eummena identified a security gap in Moodle which is related to uploading unwanted files in Moodle. A Moodle user can upload any executable file by changing the file extension and uploading it on a Moodle course. After uploading the file name can be renamed with another extension and then the file can be executed by a shell command. For example “filename.exe” can be changed into “filename.txt” and then it can be uploaded on a Moodle course. After uploading we can rename it back to “filename.ext” and it can be executable by a shell command.
To restrict the upload of unwanted files in Moodle, Eummena developed the Antivirus MIME Blocker Plugin which is the first antivirus plugin contributed to the Moodle plugin community under the antivirus category.
MIME blocker plugins will accurately check the mimetype and allow only specific types of files to be uploaded. It works during the process of file uploading onto the Moodle LMS and checks if the mimetype of the file is matching the predefined MIME types added in the MIME blocker settings page. If the filetype is defined then the MIME blocker allows the upload otherwise it provides an alert message which indicates that you can upload specific file types that are defined in the MIME blocker settings.
The MIME blocker antivirus plugin is very easy to use. To set it up, you can follow these three simple steps:
Install the MIME blocker plugin in Moodle
Enable the MIME blocker plugin from Site Administration > Plugins > Plugins overview
3. Add the permitted MIME types in the settings page of the MIME blocker plugin
And there you go, the system won’t allow the upload of any other than the specified file types!
Thanks for reading! Let us know if this plugin has helped you and of course, we’ll be happy to discuss questions or issues either in the comments section or the plugin page in Moodle.