Moodle LMS is used by more than 415 million users around the world. The collection of more than 2,200 free to use Moodle plugins allows new functionality to be added. Webshell is a versatile plugin designed for Moodle, an open-source learning management system.
This plugin allows administrators to execute shell commands directly from the Moodle interface, streamlining various administrative tasks without needing direct server access. Whether you need to manage files, monitor system performance, or perform routine maintenance, Local Webshell simplifies the process. This powerful tool provides Moodle administrators with a secure, web-based shell, enabling efficient management of their Moodle site.
Key Features
- Secure Access: Local Webshell ensures secure shell access, mitigating potential security risks associated with traditional SSH access.
- Ease of Use: With an intuitive interface, administrators can execute commands with ease, making it accessible even for those with limited technical knowledge.
- Real-time Monitoring: Keep track of system performance and logs in real-time, helping you identify and resolve issues promptly.
- Customization: Tailor the plugin to suit your specific needs, enhancing the flexibility and efficiency of your Moodle site management.
You can download the Webshell plugin from the official plugin repository here.
What are the other useful plugins you are using on your Moodle site? Please share with us in the comments section below.
For regular updates about Moodle, eLearning and edtech industry, please visit us regularly at https://lmsdaily.com. You can also like us on Facebook or follow us on Twitter, or Subscribe our YouTube Channel.
I would be very cautious about running the Webshell plugin on any Moodle installation, especially a production one. The plugin is only 2 weeks old (as of June 13th) – the codebase is not mature.
The claim that the Webshell plugin “mitigates security risks associated with SSH” is a bold one. All that is required to access this plugin is an admin password. A properly configured SSH server that makes use of private/public keypairs (and optionally restricts commands) is far more secure than this approach – and its security has been reviewed by many more sets of eyes than this plugin has been.
Also worrisome is the author’s comment on lines 240-243 of the classes/executor.php file:
—
* Try to run the user code.
*
* This function should NEVER be called by other plugins since we do NOT check capabilities here again
—
In other words: the function that runs the user’s shell command does not do any checks to see whether the user is actually allowed to do so, and so the author is relying on other plugin authors to not use & abuse their code. It would be very easy to build a malicious plugin that exploits this function.
If you need shell access to a production Moodle server, learn how to configure SSH correctly (no passwords, public/private key authentication only, and consider making use of SSH’s restricted commands feature). Also consider running it on a different port than the default (port 22). Security-wise, you’ll be better off.
Thanks a lot for your detailed analysis and my apologies for not highlighting the security risks. My point of review is just to help new administrators learn about tools, plugins which can help them without doing actual code review. From an institution point of view, all plugins shall go through a thorough testing and compatibility verification before they can be used in production environments.