Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66237

Remove redundant message notification read redirect URL parameter

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Prerequisite: You need access to your test Moodle site's SQL database to fetch some notification IDs.

      Setup

      1. Have a Moodle site with at least 3 users (referred to as user A, user B and user C).

      Testing

      1. Login as user A.
      2. Send a contact request from user A to user B. (see the video attached for how to do this contact-request.mp4)
      3. In your Moodle site's SQL database, in the 'notifications' table (eg mdl_notifications), find the most recent entry (highest ID), which should have the subject "Contact request from user A". Note down the value from the "id" column (referred to later as value 1).
      4. Send a contact request from user A to user C.
      5. In your Moodle site's SQL database, refresh your view of the 'notifications' table, and again find the most recent entry (highest ID), which should have the subject "Contact request from user A", and have an ID at least one larger than the one noted in the previous step. Note down the value from the "id" column (referred to later as value 2).
      6. Login as user B.
      7. Navigate to the following link, replacing <wwwroot> with your site's host root (eg localhost/stable_master), and replacing <ID HERE> with the ID you noted down as value 1.

        <wwwroot>/message/output/popup/mark_notification_read.php?notificationid=<ID HERE>&redirecturl=http%3A%2F%2Fgoogle.com

      8. **CONFIRM you are redirected to user B's contact requests page (<wwwroot>/message/index.php?view=contactrequests). (If the patch is not applied, that link should redirect you to Google).
      9. Navigate to the same link as step 7, but replace the notificationid number with the ID you noted down as value 2.
      10. **CONFIRM you are redirected to the site homepage.
      Show
      Prerequisite: You need access to your test Moodle site's SQL database to fetch some notification IDs. Setup Have a Moodle site with at least 3 users (referred to as user A, user B and user C). Testing Login as user A. Send a contact request from user A to user B. (see the video attached for how to do this contact-request.mp4) In your Moodle site's SQL database, in the 'notifications' table (eg mdl_notifications), find the most recent entry (highest ID), which should have the subject "Contact request from user A". Note down the value from the "id" column (referred to later as value 1 ). Send a contact request from user A to user C. In your Moodle site's SQL database, refresh your view of the 'notifications' table, and again find the most recent entry (highest ID), which should have the subject "Contact request from user A", and have an ID at least one larger than the one noted in the previous step. Note down the value from the "id" column (referred to later as value 2 ). Login as user B. Navigate to the following link, replacing <wwwroot> with your site's host root (eg localhost/stable_master ), and replacing <ID HERE> with the ID you noted down as value 1. <wwwroot>/message/output/popup/mark_notification_read.php?notificationid=<ID HERE>&redirecturl=http%3A%2F%2Fgoogle.com ** CONFIRM you are redirected to user B's contact requests page ( <wwwroot>/message/index.php?view=contactrequests ). (If the patch is not applied, that link should redirect you to Google). Navigate to the same link as step 7, but replace the notificationid number with the ID you noted down as value 2. ** CONFIRM you are redirected to the site homepage.
    • Affected Branches:
      MOODLE_37_STABLE, MOODLE_38_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE, MOODLE_38_STABLE
    • Pull 3.8 Branch:
    • Pull Master Branch:
      MDL-66237-master

      Description

      The mark_notifications_read.php script contains an open redirect (the $redirecturl parameter), which can be manipulated to send users offsite - i.e. with the following URL:

      http://moodle.internal/master/message/output/popup/mark_notification_read.php?notificationid=3&redirecturl=http://google.com

      Knowing the ID value for any notification received by a specific user makes this quite difficult to exploit in practice

      Seems like the parameter is redundant anyway and the $redirecturl can be obtained directly from the $notification->contexturl field

      To reproduce:

      1. Login as user A
      2. Send a contact request from user A to user B
      3. Login as user B
      4. Open notification drawer
      5. Hover over the "Contact request" notification
      6. Update &redirecturl=[URL] parameter
      7. Click on notification to mark as read
      8. Note you are redirected offsite to [URL]

        Attachments

        1. contact-request.mp4
          161 kB
        2. MDL-66237.jpg
          MDL-66237.jpg
          55 kB
        3. MDL-66237.patch
          3 kB
        4. MDL-66237-35.patch
          3 kB
        5. MDL-66237-36.patch
          3 kB
        6. MDL-66237-37.patch
          3 kB

          Activity

            People

            Assignee:
            pholden Paul Holden
            Reporter:
            pholden Paul Holden
            Peer reviewer:
            Michael Hawkins
            Integrator:
            Adrian Greeve
            Tester:
            Anna Carissa Sadia
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              9/Mar/20

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 1 hour
                1d 1h