Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48014

funny access control in question/toggleflag.php

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Won't Do
    • 2.5.6, 2.6.3, 2.7
    • BACKEND
    • Questions
    • MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE

    Description

      First I looked at question/toggleflag.php which seemed to lack any access control, then I went deeper to find out what the magic checksum is and I was greatly amused by the use of user->secret in question_flags::get_toggle_checksum(). The secret is empty very often or known to each user because they get it in email.

      I have no idea what a question state is, but I find it funny that I can flip it at will even as a guest if I somehow guess the combination of ids which may be disclosed when taking actual test. Nothing is logged there either, you need to dig in Apache logs to see what is going on.

      I would personally expect a real access control there instead of some magic md5 checksum done using some easy to guess values...

      Attachments

        Activity

          People

            Unassigned Unassigned
            skodak Petr Skoda
            Safat Shahin, Tim Hunt, Amaia Anabitarte, Bas Brands, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Kevin Percy, Laurent David, Mathew May, Mihail Geshoski, Sabina Abellan, Sara Arjona (@sarjona), Shamim Rezaie
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: