Thanks a lot for your detailed analysis and my apologies for not highlighting the security risks. My point of review is just to help new administrators learn about tools, plugins which can help them without doing actual code review. From an institution point of view, all plugins shall go through a thorough testing and compatibility verification before they can be used in production environments.

The claim that the Webshell plugin “mitigates security risks associated with SSH” is a bold one. All that is required to access this plugin is an admin password. A properly configured SSH server that makes use of private/public keypairs (and optionally restricts commands) is far more secure than this approach – and its security has been reviewed by many more sets of eyes than this plugin has been.

Also worrisome is the author’s comment on lines 240-243 of the classes/executor.php file:
—
* Try to run the user code.
*
* This function should NEVER be called by other plugins since we do NOT check capabilities here again
—

In other words: the function that runs the user’s shell command does not do any checks to see whether the user is actually allowed to do so, and so the author is relying on other plugin authors to not use & abuse their code. It would be very easy to build a malicious plugin that exploits this function.

If you need shell access to a production Moodle server, learn how to configure SSH correctly (no passwords, public/private key authentication only, and consider making use of SSH’s restricted commands feature). Also consider running it on a different port than the default (port 22). Security-wise, you’ll be better off.

Please send an email to mail [at] jassi.in