Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47950

$duplicate action in course/mod.php does not include a sesskey check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: 2.8
    • Component/s: Course
    • Labels:
    • Testing Instructions:
      Hide

      Test 1
      Run behat or ask the integrators about it's results regarding duplicated activities tests

      Test 2

      You will need a course with, at least, 1 activity

      1. Disable JS on your browser
      2. Go to that course as an admin or teacher and turn editing mode on
      3. Get the duplicate activity link (a tag wrapping duplicate icon in the source code)
      4. Copy it into another browser window and remove the sesskey param
      5. You SHOULD see a A required parameter (sesskey) was missing error
      6. The activity SHOULD NOT be duplicated
      7. Back to the main window, click on the duplicate icon
      8. The activity SHOULD be duplicated
      9. Enable again JS on your browser
      10. Refresh the course main page
      11. Click on the duplicate activity icon
      12. The activity SHOULD be duplicated
      Show
      Test 1 Run behat or ask the integrators about it's results regarding duplicated activities tests Test 2 You will need a course with, at least, 1 activity Disable JS on your browser Go to that course as an admin or teacher and turn editing mode on Get the duplicate activity link (a tag wrapping duplicate icon in the source code) Copy it into another browser window and remove the sesskey param You SHOULD see a A required parameter (sesskey) was missing error The activity SHOULD NOT be duplicated Back to the main window, click on the duplicate icon The activity SHOULD be duplicated Enable again JS on your browser Refresh the course main page Click on the duplicate activity icon The activity SHOULD be duplicated
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE

      Description

      I guess this cannot be used for CSRF, but still deleting tons of activities created by some joker would not be very funny

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Nov/14