Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68292

admin/modules.php exposes CSRF token (sesskey) in url

XMLWordPrintable

    • MOODLE_310_STABLE, MOODLE_38_STABLE
    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • MDL-68292-admin-sesskey
    • Easy
    • Hide

      1) Login in as admin and visit http://moodle.local/admin/modules.php

      2) Ensure you have some activities present in the site somewhere

      3) Click on the number in the second column, confirm that the url you end up on does not have a sesskey in it

      4) Back back, click on the hide toggle, confirm you do not end up with a url which contains the sesskey

      5) Back back, click on the show toggle, confirm you do not end up with a url which contains the sesskey

      6) Click on the uninstall link, confirm you do not end up with a url which contains the sesskey

       

       

      Show
      1) Login in as admin and visit http://moodle.local/admin/modules.php 2) Ensure you have some activities present in the site somewhere 3) Click on the number in the second column, confirm that the url you end up on does not have a sesskey in it 4) Back back, click on the hide toggle, confirm you do not end up with a url which contains the sesskey 5) Back back, click on the show toggle, confirm you do not end up with a url which contains the sesskey 6) Click on the uninstall link, confirm you do not end up with a url which contains the sesskey    

      This page links to http GET pages which includes the sesskey but which do not need it, and which also do not redirect away so the sesskey persists in the browser url.

      https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

      Visit: http://moodle.local/admin/modules.php

       

      1) This first is the list of activities, here the sesskey is not needed at all:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

       

      2) The second is the uninstall confirm page:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

      Here also the sesskey is not needed until you confirm, and then in that case it should be a http post anyway.

      3) This page also links to the same place with the same issue:

      http://moodle.local/admin/plugins.php

       

       

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Peter Burnett Peter Burnett
            Jake Dallimore Jake Dallimore
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 10 minutes
                2h 10m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.