Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48014

funny access control in question/toggleflag.php

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.5.6, 2.6.3, 2.7
    • Fix Version/s: BACKEND
    • Component/s: Questions
    • Labels:
    • Affected Branches:
      MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE

      Description

      First I looked at question/toggleflag.php which seemed to lack any access control, then I went deeper to find out what the magic checksum is and I was greatly amused by the use of user->secret in question_flags::get_toggle_checksum(). The secret is empty very often or known to each user because they get it in email.

      I have no idea what a question state is, but I find it funny that I can flip it at will even as a guest if I somehow guess the combination of ids which may be disclosed when taking actual test. Nothing is logged there either, you need to dig in Apache logs to see what is going on.

      I would personally expect a real access control there instead of some magic md5 checksum done using some easy to guess values...

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              skodak Petr Skoda
              Participants:
              Component watchers:
              Tim Hunt, Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: