Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53677

Missing sesskey check in admin spam cleaner module

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.3
    • Fix Version/s: 3.1.4, 3.2.1
    • Component/s: Reports
    • Labels:
    • Testing Instructions:
      Hide
      1. Create a few forum posts/blogs as a user(non-admin) with some inappropriate content.
      2. If you are a really good person and don't know any "inappropriate words", go to spam cleaner and click on "auto detect common spam patterns" and it will tell you some.
      3. Go to spam cleaner and search for spam using words that you wrote or using auto detect.
      4. Trying various actions in the results and make sure there is no regression.
      5. Go to url http://localhost/stable_master/admin/tool/spamcleaner/index.php?ignore=yes&id=4 (replace id with a spammer userid) and make sure you get an error.
      6. Go to the above url again but this time add sesskey=$YOUR_SESS_KEY and make sure this time "true" is returned.
      Show
      Create a few forum posts/blogs as a user(non-admin) with some inappropriate content. If you are a really good person and don't know any "inappropriate words", go to spam cleaner and click on "auto detect common spam patterns" and it will tell you some. Go to spam cleaner and search for spam using words that you wrote or using auto detect. Trying various actions in the results and make sure there is no regression. Go to url http://localhost/stable_master/admin/tool/spamcleaner/index.php?ignore=yes&id=4 (replace id with a spammer userid) and make sure you get an error. Go to the above url again but this time add sesskey=$YOUR_SESS_KEY and make sure this time "true" is returned.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_30_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE
    • Pull Master Branch:
      MDL-53677-master

      Description

      Hello,

      In the spam cleaner module of Moodle there is the ability to search for keywords and choose to delete the user or ignore the result. There is missing CSRF protection (sesskey is not needed) on the ignore option.

      Normal URL:
      DOMAIN/moodle/admin/tool/spamcleaner/index.php?ignore=yes&sesskey=

      {sesskey}

      &id=3

      What I expected:
      DOMAIN/moodle/admin/tool/spamcleaner/index.php?ignore=yes&id=3 request is posted.

      Response: 404 Not Found & user in id= is not ignored.

      What actually happens:
      DOMAIN/moodle/admin/tool/spamcleaner/index.php?ignore=yes&id=3

      Response: true & the user specified in id= is ignored.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                9/Jan/17