Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66237

Remove redundant message notification read redirect URL parameter

    XMLWordPrintable

Details

    • MOODLE_37_STABLE, MOODLE_38_STABLE
    • MOODLE_37_STABLE, MOODLE_38_STABLE
    • MDL-66237-master
    • Hide

      Prerequisite: You need access to your test Moodle site's SQL database to fetch some notification IDs.

      Setup

      1. Have a Moodle site with at least 3 users (referred to as user A, user B and user C).

      Testing

      1. Login as user A.
      2. Send a contact request from user A to user B. (see the video attached for how to do this contact-request.mp4)
      3. In your Moodle site's SQL database, in the 'notifications' table (eg mdl_notifications), find the most recent entry (highest ID), which should have the subject "Contact request from user A". Note down the value from the "id" column (referred to later as value 1).
      4. Send a contact request from user A to user C.
      5. In your Moodle site's SQL database, refresh your view of the 'notifications' table, and again find the most recent entry (highest ID), which should have the subject "Contact request from user A", and have an ID at least one larger than the one noted in the previous step. Note down the value from the "id" column (referred to later as value 2).
      6. Login as user B.
      7. Navigate to the following link, replacing <wwwroot> with your site's host root (eg localhost/stable_master), and replacing <ID HERE> with the ID you noted down as value 1. 

        <wwwroot>/message/output/popup/mark_notification_read.php?notificationid=<ID HERE>&redirecturl=http%3A%2F%2Fgoogle.com

      8. **CONFIRM you are redirected to user B's contact requests page (<wwwroot>/message/index.php?view=contactrequests). (If the patch is not applied, that link should redirect you to Google).
      9. Navigate to the same link as step 7, but replace the notificationid number with the ID you noted down as value 2.
      10. **CONFIRM you are redirected to the site homepage.
      Show
      Prerequisite: You need access to your test Moodle site's SQL database to fetch some notification IDs. Setup Have a Moodle site with at least 3 users (referred to as user A, user B and user C). Testing Login as user A. Send a contact request from user A to user B. (see the video attached for how to do this contact-request.mp4) In your Moodle site's SQL database, in the 'notifications' table (eg mdl_notifications), find the most recent entry (highest ID), which should have the subject "Contact request from user A". Note down the value from the "id" column (referred to later as value 1 ). Send a contact request from user A to user C. In your Moodle site's SQL database, refresh your view of the 'notifications' table, and again find the most recent entry (highest ID), which should have the subject "Contact request from user A", and have an ID at least one larger than the one noted in the previous step. Note down the value from the "id" column (referred to later as value 2 ). Login as user B. Navigate to the following link, replacing <wwwroot> with your site's host root (eg localhost/stable_master ), and replacing <ID HERE> with the ID you noted down as value 1. <wwwroot>/message/output/popup/mark_notification_read.php?notificationid=<ID HERE>&redirecturl=http%3A%2F%2Fgoogle.com ** CONFIRM you are redirected to user B's contact requests page ( <wwwroot>/message/index.php?view=contactrequests ). (If the patch is not applied, that link should redirect you to Google). Navigate to the same link as step 7, but replace the notificationid number with the ID you noted down as value 2. ** CONFIRM you are redirected to the site homepage.

    Description

      The mark_notifications_read.php script contains an open redirect (the $redirecturl parameter), which can be manipulated to send users offsite - i.e. with the following URL:

      http://moodle.internal/master/message/output/popup/mark_notification_read.php?notificationid=3&redirecturl=http://google.com

      Knowing the ID value for any notification received by a specific user makes this quite difficult to exploit in practice

      Seems like the parameter is redundant anyway and the $redirecturl can be obtained directly from the $notification->contexturl field

      To reproduce:

      1. Login as user A
      2. Send a contact request from user A to user B
      3. Login as user B
      4. Open notification drawer
      5. Hover over the "Contact request" notification
      6. Update &redirecturl=[URL] parameter
      7. Click on notification to mark as read
      8. Note you are redirected offsite to [URL]

      Attachments

        1. contact-request.mp4
          161 kB
        2. MDL-66237.jpg
          MDL-66237.jpg
          55 kB
        3. MDL-66237.patch
          3 kB
        4. MDL-66237-35.patch
          3 kB
        5. MDL-66237-36.patch
          3 kB
        6. MDL-66237-37.patch
          3 kB

        Activity

          People

            pholden Paul Holden
            pholden Paul Holden
            Michael Hawkins Michael Hawkins
            Adrian Greeve Adrian Greeve
            Anna Carissa Sadia Anna Carissa Sadia
            David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              9/Mar/20

              Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 1 hour
                1d 1h