Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-44605

Improved returnurl redirect validation in calendar

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.4.10, 2.5.4, 2.6.3, 2.7, 2.8
    • Fix Version/s: 2.6.4, 2.7.1
    • Component/s: Calendar
    • Labels:
    • Testing Instructions:
      Hide

      Verify validation is improved:

      1. Visit the following URL (replacing the bits in capitals as necessary)
        http://YOURMOODLE/calendar/set.php?return=aHR0cDovL3d3dy5nb29nbGUuY29t&sesskey=YOURSESSKEY&var=showuser
      2. Verify that you don't get redirected to google

      Verify redirects still work ok:

      1. Go to a calendar page
      2. Click all the links in 'Hide global events'
      3. VERIFY the actions continue to work and that you end up on the correct page
      4. Visit a different calendar page (e.g. move to a different month)
      5. Verify you get redirected to the correct page
      Show
      Verify validation is improved: Visit the following URL (replacing the bits in capitals as necessary) http://YOURMOODLE/calendar/set.php?return=aHR0cDovL3d3dy5nb29nbGUuY29t&sesskey=YOURSESSKEY&var=showuser Verify that you don't get redirected to google Verify redirects still work ok: Go to a calendar page Click all the links in 'Hide global events' VERIFY the actions continue to work and that you end up on the correct page Visit a different calendar page (e.g. move to a different month) Verify you get redirected to the correct page
    • Affected Branches:
      MOODLE_24_STABLE, MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE

      Description

      It has been identified that redirection pages within moodle are vulnerable to malicious abuse. If the page to which the user is taken is governed by an unchecked parameter then an attacker can craft links that will redirect a victim to a malicious site. The malicious site could be used to infect the victim with malware or to conduct a phishing attack. In the case of a phishing attack, an attacker can easily clone the look and feel of the application to fool the user into entering sensitive information, such as login credentials or credit card information.

      Replace the 'sesskey' value with a valid key; this example will redirect a victim to the "http://google.com" site which is base64 decoded value of 'aHR0cDovL2dvb2dsZS5jb20K':
      https://moodle.dev/calendar/set.php?return=aHR0cDovL2dvb2dsZS5jb20K&sesskey;=gdU8pBLYn2&v ar;=showcourses

        Attachments

          Activity

            People

            Assignee:
            poltawski Dan Poltawski
            Reporter:
            gerryghall Gerry Hall
            Peer reviewer:
            Petr Skoda
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            Damyon Wiese
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              14/Jul/14