Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50689

Improve security reporting for https settings and user enumeration risk

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.6.11, 2.7.8, 2.8.6, 2.9
    • Fix Version/s: None
    • Component/s: Reports
    • Labels:
    • Testing Instructions:
      Hide

      HTTPS testing

      You need a site with https

      1. Go to security overview report - verify https and secure cookie warnings work
      2. Verify there is no XSS warning in fresh new install, it should pop up once you assign any teacher or manager

      User enumeration

      1. View the security report (Administration > Site administration > Reports > Security overview) on a clean install and check that you don't get a warning for user enumeration.
      2. Turn on self registration, (Site administration > Plugins > Authentication > Manage authentication.)
      3. Check you get a warning for user enumeration on the Security Report page.
      4. Turn off self registration
      5. Check you do not get a warning for user enumeration on the Security Report page..
      6. Turn off protect usernames, (Site administration > Security > Site policies.)
      7. Check you get a warning for user enumeration on the Security Report page.
      Show
      HTTPS testing You need a site with https Go to security overview report - verify https and secure cookie warnings work Verify there is no XSS warning in fresh new install, it should pop up once you assign any teacher or manager User enumeration View the security report (Administration > Site administration > Reports > Security overview) on a clean install and check that you don't get a warning for user enumeration. Turn on self registration, (Site administration > Plugins > Authentication > Manage authentication.) Check you get a warning for user enumeration on the Security Report page. Turn off self registration Check you do not get a warning for user enumeration on the Security Report page.. Turn off protect usernames, (Site administration > Security > Site policies.) Check you get a warning for user enumeration on the Security Report page.
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE
    • Pull Master Branch:
      50689-30
    • Pull Master Diff URL:

      Description

      Hi guys,

      A penetration test recently commissioned for Totara identified two security risks that we decided did not require fixing, but that we did identify as security concerns that should be expressed on the security overview report.

      The two concerns identified were:

      1. User enumeration via login/signup.php
      2. HTTPOnly and Secure flags not set on cookie

      In regards to user enumeration, this is a known consequence of turning on self registration.
      The same is true for several other scripts if the protectusernames has been turned off.
      While this is a known consequence to developers it is not reflected on the security overview report and really ought to be.

      In regards to HTTPOnly and secure flags, we had stated in our provisioning of the penetration testing that the site would not be run on HTTPS but that our recommendation is for all production sites to be run on HTTPS and that we have settings for several security improvements that can be enabled for a site running on HTTPS.
      However after this was still reported we completed a review of these setting and identified that the security overview report does not reflect the nature of these settings.

      I'll attach patches shortly that improve the information provided on the security overview report to deal with things.

        Attachments

        1. 50689-27.patch
          10 kB
        2. 50689-28.patch
          10 kB
        3. 50689-29.patch
          10 kB
        4. 50689-30.patch
          10 kB

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              samhemelryk Sam Hemelryk
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated: