Contents
1 How do I report a security issue?
2 How can I keep my site secure?
3 How do I keep track of recent security issues?
4 Who is able to view security issues in the Tracker?
8 How can I increase privacy in LMS?
10 How can I run the security overview report?
11 I have discovered Cross Site Scripting (XSS) is possible with LMS
How do I report a security issue?
See LMS security procedures in the dev docs for details on how to report a security issue.
Previously fixed security issues are listed in the LMS.org Security news. If you are unsure whether a problem has been fixed or not, it’s best to report it anyway.
How can I keep my site secure?
It’s good practice to always use the latest stable release of the version you are using. It is safe to upgrade to a more recent version on the branch you are using.
How do I keep track of recent security issues?
- Register your LMS site with paradisolms.net, making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.
- Eventually, all important security issues are published to the general public via the LMS Security forum.
Who is able to view security issues in the Tracker?
Depending upon the security level of a Tracker issue, access is restricted to developers, testers or members of the security team.
How can I increase privacy in LMS?
See Increasing privacy in LMS.
How do I enable reCAPTCHA?
To add spam protection to the Email-based self-registration new account form with a CAPTCHA element:
- Obtain a reCAPTCHA key from http://recaptcha.net by signing up for an account (free) then entering a domain.
- Copy and paste the public and private keys provided into the recaptchapublickey and recaptchaprivatekey fields in the manage authentication common settings in Administration > Plugins > Authentication > Manage authentication.
- Click the “Save changes” button at the bottom of the page.
- Follow the settings link for email-based self-registration in Administration > Plugins > Authentication > Manage authentication and enable the reCAPTCHA element.
- Click the “Save changes” button at the bottom of the page.
How can I run the security overview report?
To run the security overview report, go to Administration > Site administration > Reports > Security overview.
I have discovered Cross Site Scripting (XSS) is possible with LMS
Some forms of rich content used by instructorrs to enhance their courses use the same technologies that malicious users can use for cross-site scripting attacks. If LMS was solely concerned with security, it would not allow this. However, LMS is also concerned with education and so a balance has to be struck between securing the system and supporting instructors with their needs.
In order to strike a balance between authoring rich educational content and securing the system, access to post XSS-capable content is controlled by capabilities flagged with the ‘XSS risk’. In general, this means that admins and instructors can post XSS-capable content, but users can not -.
Occasionally security bugs are discovered in LMS’s handling of XSS capable content and we are grateful to the community for reporting these through responsible disclosure. Before reporting an XSS bug to LMS, please ensure that the user posting the XSS content does not have capabilities flagged with the XSS risk.