Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67582

Session cookie allows to login into another user account without user or password

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Minor Minor
    • None
    • 3.8
    • Logging
    • None
    • MOODLE_38_STABLE

      You might already by aware of this issue but I want it to report it anyway because it can cause great harm.

       

      When you enter into a moodel web page a Cookie is downloaded with a random value which I presume is a session identifier.

      By changing the value of the Cookie to a value of a currently active user it is possible to login as such user. It is not a permanent way of owning access to an account it only lasts until the Cookie expires but capturing new cookies usually is not hard, especially on school environments.

       Video: https://drive.google.com/file/d/1gFaCzb-vXw3txUl3rzW31az__G_G0pDi/view?usp=sharing

      At my school I was able of exploting this vulnerability by first executing an ARP poisoning attack redirecting the traffic to my computer, them using an sniffer I filtered the traffic to only look for frames containing cookies and that was it, I just had to wait for people to login.

            Unassigned Unassigned
            FatBoooy Oiher Poplawski
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.