Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68292

admin/modules.php exposes CSRF token (sesskey) in url

    XMLWordPrintable

Details

    Description

      This page links to http GET pages which includes the sesskey but which do not need it, and which also do not redirect away so the sesskey persists in the browser url.

      https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

      Visit: http://moodle.local/admin/modules.php

       

      1) This first is the list of activities, here the sesskey is not needed at all:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

       

      2) The second is the uninstall confirm page:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

      Here also the sesskey is not needed until you confirm, and then in that case it should be a http post anyway.

      3) This page also links to the same place with the same issue:

      http://moodle.local/admin/plugins.php

       

       

      Attachments

        Activity

          People

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Peter Burnett Peter Burnett
            Jake Dallimore Jake Dallimore
            Anna Carissa Sadia Anna Carissa Sadia
            Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              9/Nov/20

              Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 10 minutes
                2h 10m