-
Bug
-
Resolution: Fixed
-
Minor
-
3.8.2, 3.10
-
MOODLE_310_STABLE, MOODLE_38_STABLE
-
MOODLE_38_STABLE, MOODLE_39_STABLE
-
MDL-68292-admin-sesskey -
Easy
-
This page links to http GET pages which includes the sesskey but which do not need it, and which also do not redirect away so the sesskey persists in the browser url.
https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
Visit: http://moodle.local/admin/modules.php
1) This first is the list of activities, here the sesskey is not needed at all:
http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx
2) The second is the uninstall confirm page:
http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx
Here also the sesskey is not needed until you confirm, and then in that case it should be a http post anyway.
3) This page also links to the same place with the same issue:
http://moodle.local/admin/plugins.php