A scanning tool for Moodle LMS, after v1.7.0. in development
How does it work?
MooScan downloads a copy of the public Moodle GIT repository and plugin database and pulls in files of interest which can be used to determine the installed Moodle version, determine if local public changes have been made, and allows brute-force scanning of an install to determine any and all installed plugins (and their versions, too!)
Moodle itself includes a lot of content inside its web root that can be very revealing. Information such as composer.json, package.json, npm-shrinkwrap.json which all include version numbers used to build libraries; install.xml files used to setup databases which include version numbers, and in some older versions, .html files which include PHP - these files are pulled in by Moodle, and, in some cases, may have been modified by admins to include their production values (auth/ldap/config.html I'm looking at you!). As a Moodle admin, it would be nice to know this. As a pentester, it would be doubly-nice to know this!
In a previous life, I was a developer in a small team maintaining a large Moodle install (35k users) and while we were careful with our install, I realised that others may not be so careful..
- Allows administrators to determine exactly what is visible externally in their Moodle installation.
- A tool for penetration testers to find potential vulnerabilities in a Moodle installation by enumerating installed plugins, themes and libraries.
- Build container
docker-compose --build up
- Run PEP8 tests
docker-compose run --entrypoint "pep8 -v *.py lib/" mooscan
- Run unit-tests
docker-compose run --entrypoint pytest mooscan
To be defined once the basic (MVP!) tool is released, functional and reliable.
- Codingo; for the gentle nudges to get this tool to a point where it may be useful for the community.
- SecTalks for the continual support and encouragement.