The latest issue of Linux Voice included a cover feature on common security flaws in web applications and how they can be exploited. Alongside this, they are running a competition to win a Linux Voice t-shirt. To win the competition, you need to be the person who finds the most security vulnerabilities in one of my favorite open source projects, Moodle.
I’ve got a lot of experience of working with Moodle’s codebase, and I know that its developers have taken security seriously. There’s APIs in there to protect against SQL injection, cross-site scripting and the other common attack vectors. This is vital in a system like Moodle which might hold a wealth of personal data about students, as well as assignments and assessment systems.
While these APIs exist, Moodle has a huge codebase maintained by a large community of contributors. You can write a query using the database API which will be protected against attacks, but a lazy or less experienced programmer might have written vulnerable code which hasn’t been replaced. Equally, you might be able to think of an attack that no-one thought to defend against. In the wake of Heartbleed and similar high-profile vulnerabilities, it great to see a competition like this encouraging scrutiny of a popular project’s security.
The prizes in the competition will go to whoever has the most security issues verified on the Moodle tracker, whoever can successfully access a specific file in the site’s web root, and whoever can successfully access a specific file outside the site’s web root. The competition runs until 8th July (unless the server gets destroyed before then), and you can find out the full details on the competition’s website. Happy hacking!