Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68292

admin/modules.php exposes sesskey in url

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      1) Login in as admin and visit http://moodle.local/admin/modules.php

      2) Ensure you have some activities present in the site somewhere

      3) Click on the number in the second column, confirm that the url you end up on does not have a sesskey in it

      4) Back back, click on the hide toggle, confirm you do not end up with a url which contains the sesskey

      5) Back back, click on the show toggle, confirm you do not end up with a url which contains the sesskey

      6) Click on the uninstall link, confirm you do not end up with a url which contains the sesskey

       

       

      Show
      1) Login in as admin and visit http://moodle.local/admin/modules.php 2) Ensure you have some activities present in the site somewhere 3) Click on the number in the second column, confirm that the url you end up on does not have a sesskey in it 4) Back back, click on the hide toggle, confirm you do not end up with a url which contains the sesskey 5) Back back, click on the show toggle, confirm you do not end up with a url which contains the sesskey 6) Click on the uninstall link, confirm you do not end up with a url which contains the sesskey    
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_38_STABLE
    • Pull 3.10 Branch:
      MDL-68292-admin-sesskey-MOODLE_310_STABLE
    • Pull Master Branch:
      MDL-68292-admin-sesskey

      Description

      This page links to http GET pages which includes the sesskey but which do not need it, and which also do not redirect away so the sesskey persists in the browser url.

      https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

      Visit: http://moodle.local/admin/modules.php

       

      1) This first is the list of activities, here the sesskey is not needed at all:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

       

      2) The second is the uninstall confirm page:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

      Here also the sesskey is not needed until you confirm, and then in that case it should be a http post anyway.

      3) This page also links to the same place with the same issue:

      http://moodle.local/admin/plugins.php

       

       

        Attachments

          Activity

            People

            Assignee:
            brendanheywood Brendan Heywood
            Reporter:
            brendanheywood Brendan Heywood
            Peer reviewer:
            Peter Burnett
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated: