Moodle

Security Report warns for XSS when users has teacher roles

Details

  • Type: Sub-task Sub-task
  • Status: Open Open
  • Priority: Minor Minor
  • Resolution: Unresolved
  • Affects Version/s: 1.9.3
  • Fix Version/s: None
  • Component/s: Administration
  • Labels:
    None
  • Difficulty:
    Moderate
  • Affected Branches:
    MOODLE_19_STABLE

Description

On the security report available on the latest moodle_19_weekly, the XSS trusted users warning appears when users has the Teacher role in the course context.

While it is correct that the teacher role should be assigned to trusted users, the warning may suggest assigning teacher in courses is dangerous.

Wouldn't be preferable to fire a more moderate message when the Teacher role is detected in course contexts or better explain the reason we warn users?

A good starting point could be to present the list of users (showed on the Risk explanation page) with the role they have and in which context. This could help to better understand the real risk condition.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

Unfortunately assigning teachers is VERY risky

Solution could be to add new UI for user trusts and display only users that do not have the XSS trust bit set in trust bitmask

Show
Petr Škoda (skodak) added a comment - Unfortunately assigning teachers is VERY risky Solution could be to add new UI for user trusts and display only users that do not have the XSS trust bit set in trust bitmask
Hide
Permalink
Enrique Castro added a comment - - edited

Hi,
OK, considering teachers as Trusted is risky. That's quite right.

But, working on 1.9.5, if I set "moodle/site:trustcontent" permission to "Prevent" or "Prohibit" I do still see de warning.
Even, if "enabletrusttext" config setting is set to NO, unchecked, I do still see the warning.

¿Is the "trusted" exception working at all if "enabletrusttext" is disabled? ¿Is content being cleaned or not in this condition?

If user input is been cleaned, then there is no reason to scare people about XSS trusted users.

Show
Enrique Castro added a comment - - edited Hi, OK, considering teachers as Trusted is risky. That's quite right. But, working on 1.9.5, if I set "moodle/site:trustcontent" permission to "Prevent" or "Prohibit" I do still see de warning. Even, if "enabletrusttext" config setting is set to NO, unchecked, I do still see the warning. ¿Is the "trusted" exception working at all if "enabletrusttext" is disabled? ¿Is content being cleaned or not in this condition? If user input is been cleaned, then there is no reason to scare people about XSS trusted users.
Hide
Permalink
Petr Škoda (skodak) added a comment -

this is not about text only, uploading any file to web server is a risk, we can only try to minimize the risks by forcing download of all student uploaded files; this is one of the resons why we will never allow uploading of files/text by unregistered users or guests.

so no, you always have to trust teachers that are creating content

Show
Petr Škoda (skodak) added a comment - this is not about text only, uploading any file to web server is a risk, we can only try to minimize the risks by forcing download of all student uploaded files; this is one of the resons why we will never allow uploading of files/text by unregistered users or guests. so no, you always have to trust teachers that are creating content

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.