26 September 2019
We are Eummena
As our technical team works on Moodle, we find ourselves tackling issues that may be of interest to other developers. As a part of the Moodle community and advocators of openness, we decided to share our own experiences from Moodle Dev, among other things of course! If you haven’t read our previous post, take a look at “the tale of the user with no email”!
Not the same MIME but you get the idea! [image source]
Security concerns are consistently identified as one of the top challenges for software development. Security is probably the key reason why most organisations won’t use a service provider.
Moodle already provides some security recommendations and some of the highlights from them, are the following:
- Perform regular updates of Moodle and its plugins
- Use secure socket layers https
- Establish a strict password policy for users
- Only provide accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
- Implement firewalls
- Use permission 700 on Moodle data directory and 755 on Moodle directory
- Clean user input by enabling the “forceclean” option in Moodle
In order to strengthen Moodle security even more, Eummena identified a security gap in Moodle which is related to uploading unwanted files in Moodle. A Moodle user can upload any executable file by changing the file extension and uploading it on a Moodle course. After uploading the file name can be renamed with an other extension and then the file can be executed by a shell command. For example “filename.exe” can be changed into “filename.txt” and then it can be uploaded on a Moodle course. After uploading we can rename it back to “filename.ext” and it can be executable by a shell command.
To restrict upload of unwanted files in Moodle, Eummena developed the Antivirus MIME Blocker Plugin which is the first antivirus plugin contributed to the Moodle plugin community under the antivirus category.
MIME blocker plugins will accurately check the mimetype and allow only specific types of files to be uploaded. It works during the process of file uploading onto the Moodle LMS and checks if the mimetype of the file is matching the predefined MIME types added in the MIME blocker settings page. If the filetype is defined then the MIME blocker allows the upload otherwise it provides an alert message which indicates that you can upload specific file types that are defined in the MIME blocker settings.
The MIME blocker antivirus plugin is very easy to use. To set it up, you can follow these three simple steps:
1. Install the MIME blocker plugin in Moodle
2. Enable the MIME blocker plugin from Site Administration > Plugins > Plugins overview
3. Add the permitted MIME types in the settings page of the MIME blocker plugin
And there you go, the system won’t allow the upload of any other than the specified file types!
Thanks for reading! Let us know if this plugin has helped you and of course, we’ll be happy to discuss questions or issues either in the comments’ section or the plugin page in Moodle.
Story by: Azmat Ullah, Eummena
Also interesting in this category...
Reflection on OECD Report: Innovating Education and Educating for Innovation11 October 2019
Moodle Workplace: New kid on the block!7 October 2019
Why do teachers love Moodle?2 October 2019
Stories from Moodle Dev: Moodle Event Monitoring30 September 2019
Stories from Moodle Dev: The Antivirus MIME Blocker26 September 2019
Reflection on World Bank Group Report: Learning to Realise Education’s Potential24 September 2019
Stories from Moodle Dev: The Tale of the User with no Email24 September 2019
Eummena is now a certified Moodle Partner3 September 2019
Eummena in the 1st Palestine Creative AI Week1 August 2019
Eummena has a new website20 May 2019
OECD Skills Outlook 2019 Report14 May 2019
PISA redefining testing standards9 May 2019
Eummena @BETT 201920 December 2018