Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47950

$duplicate action in course/mod.php does not include a sesskey check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: 2.8
    • Component/s: Course
    • Labels:
    • Testing Instructions:
      Hide

      Test 1
      Run behat or ask the integrators about it's results regarding duplicated activities tests

      Test 2

      You will need a course with, at least, 1 activity

      1. Disable JS on your browser
      2. Go to that course as an admin or teacher and turn editing mode on
      3. Get the duplicate activity link (a tag wrapping duplicate icon in the source code)
      4. Copy it into another browser window and remove the sesskey param
      5. You SHOULD see a A required parameter (sesskey) was missing error
      6. The activity SHOULD NOT be duplicated
      7. Back to the main window, click on the duplicate icon
      8. The activity SHOULD be duplicated
      9. Enable again JS on your browser
      10. Refresh the course main page
      11. Click on the duplicate activity icon
      12. The activity SHOULD be duplicated
      Show
      Test 1 Run behat or ask the integrators about it's results regarding duplicated activities tests Test 2 You will need a course with, at least, 1 activity Disable JS on your browser Go to that course as an admin or teacher and turn editing mode on Get the duplicate activity link (a tag wrapping duplicate icon in the source code) Copy it into another browser window and remove the sesskey param You SHOULD see a A required parameter (sesskey) was missing error The activity SHOULD NOT be duplicated Back to the main window, click on the duplicate icon The activity SHOULD be duplicated Enable again JS on your browser Refresh the course main page Click on the duplicate activity icon The activity SHOULD be duplicated
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE

      Description

      I guess this cannot be used for CSRF, but still deleting tons of activities created by some joker would not be very funny

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dmonllao David Monllaó
              Reporter:
              skodak Petr Skoda
              Peer reviewer:
              Marina Glancy
              Integrator:
              Dan Poltawski
              Tester:
              Adrian Greeve
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Nov/14